little bird

New Member
Have you ever wondered how a mobile APP abuses your privacy? Our team now uncovered the truth about it. We use Youmi SDK as our sample to introduce you how much information an advertising SDK on Android steals. Here is the truth:

We downloaded Youmi SDK v5.3.3 (package name: YoumiSdk_v5.3.3_2015-10-10.jar) from its official website to run the test and found that Youmi did almost everything it can within this SDK to try to get to know every detail about you.

1. It can get the list of all apps installed on the phone. A lot of Ad SDK (including Youmi) can get to know your interests and draw an accurate profile of you through analyzing what apps you have installed. The information is usually sold (or kept by themselves) for targeted advertising.

2. It can get a list of all the running process on the phone. Are you browsing Ashley Madison? Are you on YouTube? Are you using photo beautification App? Youmi knows EVERYTHING you are doing on your phone!

3. It can get the information of all the running App you are using right now.

4. It can get a collection of the information of all the Apps that you used recently. Whether the APP once ran or is running now in the background, Youmi won’t miss anything. It just pulls out everything it has to get your privacy and analyze you, deeply and comprehensively.

5. It can get APP usage infomation. This obviously used a method offered by Android 5.0 which aims at tracking APP usage. Google proved itself as an advertising company by making this method public since Android 5.0 and thus allows all advertising platforms to get to know all your habits, even your subconsciousness and then get an user portrait of you. Youmi is exactly one of those companies.

6. It pinpoints you location through Internet connection. It knows where you have been, where you have stayed for the longest time and where you usually hang around through keeping tracking of you.

7. What’s even worse is that Youmi can locate you through base station. It can get the information of where you have been and where you are. We don’t know what is Youmi planning to do with it but we do know it is dangerous that someone spies on you every hour of every day.

8. It can get your IMEI (International Mobile Station Equipment Identity). This is the unique code of each phone. It is like the ID of the phone and a lot of SDKs use it to identify users. They collect all the information connected to this ID and set up big data system to get a clear picture of you. Of course Youmi gets your IMEI, too. YOU ARE LOCKED.

9. It can get your Android ID. This is another way to track you down. Android ID won’t change unless you format your phone. According to Google official statement, Android ID is a 64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device. (The value may change if a factory reset is performed on the device.)

10. It can get the Mac address of the Network Interface Card. It seems Youmi won’t miss every little detail of your personal information.

To view more information and the source code of Youmi, you can have a look on our security blog: or like our facebook page Toolwiz Family

Furthermore, if you are suspicious of some APPs regarding privacy protection, please don’t hesitate to let us know. We can help you to check the APK and see if this APP is doing anything evil. Just leave us a message here or send Email to

Let us discover more privacy secrets for you.


Level 4
Esentially a lot! Your meta data can be compromised depending on the apps permissions alone so ads well that's the least of you worries with android apps ;) they can build in plugins that will essentially let them do what they want as long as you say yes when the permissions window comes up. Lots of apps track you constantly its part of the google SDK to add those specific plugins into any app.


Level 61
Well a lot of legitimate programs contains numerous permissions that sometimes you need to analyze it carefully cause some are not intended for statistics but data stealing instead in the direct way.

So SDK's are just a prime example that permissions to access are wide covered and we take it for granted due to the file is legitimate or came from known source.