Android apps with 45 million installs used data harvesting SDK

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.
The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user's modem router MAC address and network SSID.

This sensitive data could lead to significant privacy risks for the users if misused or leaked due to poor server/database security.
Furthermore, clipboard contents could potentially include very sensitive information, including crypto wallet recovery seeds, passwords, or credit card numbers, which should not be stored in a third-party database.

According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain "mobile.measurelib.com," which appears to be owned by a Panama-based analytics firm named Measurement Systems.
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,042
From that article:
Apps using this SDK
The most popular and downloaded applications found to be using this SDK to send sensitive user data are the following:
It’s important to note that all of these apps were reported to Google on October 20, 2021, and were subsequently investigated and removed from the Play Store.

However, their publishers managed to reintroduce them on the Play Store after removing the data-harvesting SDK and submitting new, updated versions to Google for review.

If users installed the apps on a previous date, though, the SDK would still be running on their smartphones, so removal and re-installation would be advised in this case.


Unfortunately, as data collection libraries quietly run in the background collecting data, it's difficult for users to protect themselves from them. Therefore, it is advised that you only install apps from trustworthy developers who have a long history of highly reviewed apps.

Another good practice is to keep the number of apps installed on your device at the minimum necessary and ensure that the permissions requested are not overly broad.