Security experts are warning Android users after scores of apps in the Google Play Store were found to be secretly collecting sensitive data.
According to security expert Andrey Meshkov who made the discovery, Android apps and also Google Chrome extensions helped to form a “huge spyware campaign” that was capable of scraping sensitive data from a victim’s Facebook account.
In a blog post, Meshkov said that the the rogue apps can also scrape data from post, tweets, YouTube videos and any adverts the victim has clicked on.
The collected data is then sent to a third party firm called Unimania who allegedly sell the data for profit to anyone who wants to buy it.
Meshkov added that some of the Android apps in the Google Play Store that have been scraping data from users have been downloaded millions of times.
Two of the apps identified by Meshkov are called Fast and Fast Lite which allow people manage their Facebook profile outside of the official Facebook app. The apps have been downloaded a total of 11 million times.
Both Fast and Fast Lite revealed in their privacy policies that data would be passed to Unimania.
In his blog post, Meshkov added: “This was not just a matter limited to Chrome extensions, and I realized that I needed to continue my investigation.
“To this end, some good news was that we already had some data collected while preparing a study on mobile apps tracking and I could make use of it and query it right away.
“That’s how I found one particular app that was connecting to the Unimania servers.
“This was an alternative Facebook client called “Fast – Social App” with a record of more than 10,000,000 installs according to Google Play.
“Scanning this developer apps’ traffic confirmed that “Fast-Social App” transfers pretty much the same data as the Chrome extensions do, and to the same Unimania servers.
“I also found out that “Fast Lite – Social App + Twitter” (1,000,000+ installs) also does the same thing.”
Meshkov went on to identify other apps that mention Unimania in their privacy policies. However, he also added that he was unable to confirm if these apps were leaking data.
The other apps included:
Photo Mania -Photo Effect (1 million installs)
All in One Social Media (100,000 installs)
In addition, Meshkov identified four Chrome extensions that were also found to be scraping user data:
Video Downloader For Facebook
Album & Photo Manager For Facebook
PDF Merge – PDF Files Merger
Pixcam – Webcam Effects
“Obviously, none of these apps describe this behavior in the app description; neither do they have an “in-app disclosure” as required by Google”, he continued
“I must admit that the Google Play Developer Policies look solid, and so they are likely not the reason of why the privacy of Android apps is in such a sad state. The problem is that these policies are not enforced, hence most of the app developers simply ignore them.”
Offering tips on how users can protect themselves, Meshkov said: “When installing anything on your device or browser, follow these rules.
“Never ever install anything made by a developer you don’t trust. Do your homework, find out who the developer is and decide for yourself if they are trustworthy.”
The offending apps and Chrome extensions have now been reported to Google.