Documents demonstrate that code in consumer-facing apps is linked to US national-security contractors.
Google has removed dozens of apps from its Google Play store after discovering that they have a software component that collects data invisibly.
Measurement Systems S. de R.L., the Panamanian company that produced the malware, is linked to a Virginia defence contractor that undertakes cyberintelligence, network defence, and intelligence-intercept work for US national-security organisations through corporate documents and online registrations.
According to two researchers who discovered the code’s behaviour in the course of auditing work looking for vulnerabilities in Android apps, the code was found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app, and a number of other popular consumer apps. They informed Google, a subsidiary of Alphabet Inc., federal privacy regulators, and The Wall Street Journal about their findings.
Developers said Measurement Systems paid them to incorporate its code—known as a software development kit, or SDK—into their apps all across the world. According to Serge Egelman, a researcher at the International Computer Science Institute at the University of California, Berkeley, and Joel Reardon of the University of Calgary, its existence allowed the Panamanian company to secretly collect data from their consumers.
Modern apps frequently contain SDKs from unknown organisations like Measurement Systems, which are “not audited or well understood,” according to Mr. Egelman. App developers are typically enticed to include them since they provide a steady stream of revenue as well as precise information on their user base.
Mr. Egelman stated, “This saga continues to emphasise the significance of not accepting candy from strangers.”
The two men, who also co-founded AppCensus, a business that investigates the security and privacy of mobile apps, believe the programme is the most privacy-invading SDK they’ve encountered in their six years of research. Mr. Egelman stated that it can “without a doubt be regarded as malware.”
In a report supplied with the Journal and previously sent to the Federal Trade Commission, he and Mr. Reardon recorded their findings on the Measurement Systems code. The two men published the list of apps where they discovered the code in their blog post. They also informed Google of their discoveries in March, prompting an investigation that resulted in the ban. “We cannot comment on whether we are examining a specific incident since FTC investigations are confidential,” an FTC spokeswoman stated.
According to Scott Westover, a Google representative, apps containing Measurement Systems software were deleted from the Google Play Store on March 25 for gathering users’ data outside of Google’s set criteria. If the software was removed, Mr. Westover suggested the apps may be relisted. Some apps have already been re-released in the App Store.
The Fourth Kingdom Hearts Game Was Announced During the 20th-anniversary Celebration
Measurement System’s capacity to collect data from the millions of phones around the world where its software is already installed is unaffected by Google’s action. Shortly after Messrs. Egelman and Reardon began disseminating their findings, the SDK ceased gathering data on its users and unplugged itself.
According to Messrs. Egelman and Reardon, Measurement Systems software was found in more than a dozen apps, including several Muslim-themed prayer apps like Al Moazin and Qibla Compass. According to the two researchers, the Measurement Systems software kit was present in apps downloaded on at least 60 million mobile devices and presumably much more. Google would not reveal how many apps had the spyware in total.
According to their results, the software’s true reach could be much broader because it can detect the presence of other devices on the same Wi-Fi network as those using an app with the code, possibly allowing social networks to be mapped.
Measurement Systems was gathering data on behalf of internet service providers, banking service providers, and energy firms, according to Parfield, the Egypt-based creator of Al Moazin and other religious-themed apps. Qibla’s creators have yet to react to a request for comment.
According to documents reviewed by the Journal, Measurement Systems told app developers it wanted data primarily from the Middle East, Central and Eastern Europe, and Asia—an unusual request given that data from the United States and Western Europe typically commands the highest prices among commercial brokers. Measurement Systems, according to several developers, required them to sign nondisclosure agreements.
Other notable Android consumer apps that used the Measurement Systems SDK included weather apps, QR code scanners, and a highway-radar detection app. The Journal received statistics about the geographical distribution of users of apps that run Measurement Systems from Pixalate, a third-party company that monitors app analytics. In Iran, one of the weather apps in which the code was executing was very popular.
Messrs. Reardon and Egelman discovered that the SDK was capturing a considerable amount of data about each user, including precise location, personal identifiers such as email and phone numbers, as well as data about nearby computers and mobile devices. While consumer-data brokers may acquire such information, they rarely contain individualised identifiers like email addresses and phone numbers, as this could violate data-privacy rules.
When the cut-and-paste capability is used, the Measurement Systems SDK can also capture information from the phone’s clipboard, such as passwords. And, as Messrs. Reardon and Egelman discovered, it can scan some areas of the phone’s file system, including the files saved in the WhatsApp downloads folder. It couldn’t read the files’ contents, but it could compare them to known files using a technique known as compare-by-hash.
WhatsApp is extensively used as a text messaging alternative around the world, but it encrypts communications as they travel over the internet, safeguarding users’ privacy but complicating law enforcement and intelligence organisations’ capacity to intercept material.
“A database locating someone’s actual email and phone number to their accurate GPS location history is particularly alarming,” Mr. Reardon wrote in a blog post explaining their findings. “It could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals.”
The Defense Department and other national-security organisations have previously stated that they purchase substantial volumes of data from private companies, but have reluctant to share details. According to a Pentagon official, “as part of their authorised activities, Department of Defense Components purchase publicly and commercially available data to inform research of foreign threats to national security.”
According to online domain records from as recently as this month, a US-based firm named Vostrom Holdings Inc. registered Measurement Systems’ internet domain in 2013. Measurementsys.com is now registered to a service that “protects the privacy of domain name proprietors,” according to those documents.
According to corporate records, Vostrom does business with the federal government through a company called Packet Forensics LLC. According to corporate records, Measurement Systems S de R.L. also identified two holding corporations as officers, both of which share a Sterling, Va., address with people connected to Vostrom. According to corporate ownership records, one of those people also controlled a U.S. LLC with the same name: Measurement Systems LLC.
“The charges you make regarding the company’s operations are untrue,” Measurement Systems wrote in an email. Furthermore, we are not aware of any connections between our firm and US defence contractors, nor of…a firm called Vostrom. We don’t know what Packet Forensics is or how it applies to our business.” Measurement Systems did not respond to concerns regarding how Vostrom came to own their domain.
According to business ownership documents and a person familiar with the case, Vostrom and its subsidiaries are associated with Rodney Joffe, a longtime cybersecurity consultant for the US government, and are operated by numerous of his protégés.
“Mr. Joffe has a minority stake in Packet Forensics and serves as its nonexecutive chairman, but he hasn’t worked in the company for several years.” Mr. Joffe has never had a financial stake in Vostrom Holdings or been hired by the company, according to a spokesperson for Mr. Joffe.
People familiar with Mr. Joffe’s employment say he gathers specialised data and capabilities for government groups, sometimes on classified programmes. He has been at the centre of a long-running debate concerning the monitoring of online traffic at Donald Trump’s properties during the 2016 election.
Governments have turned to software on mobile devices to collect information on people and the places they go while a significant percentage of information on the internet has been encrypted. According to the Journal, a healthy market for gathering location data from phones has evolved, with government agencies becoming big buyers of such data.
Geolocation can be included in the data, resulting in the establishment of a multibillion-dollar location-analytics sector to better understand people’s travels. Several technology executives from companies that don’t generally sell to the government have said they’ve been approached by US intelligence agencies and requested to voluntarily provide user data in bulk or do warrantless queries on their data for law enforcement.
Measurement Systems says their software code collects “non-personal information about app users” and offers to pay developers to integrate it in their mobile apps.
Developers could earn anywhere from $100 to $10,000—or more—per month, according to materials acquired by the Journal, depending on how many active users they could produce. The company was particularly interested in users who had given the app permission to access a user’s location, according to the documents, but it stressed that such rights were not required to collect data.
Always be Updated with us visit GeeksULTD for Real-time Updates
