Google bans apps with hidden data-storage software

The Panamanian company that wrote the code, Measurement Systems SD RL, is linked via corporate records and web registration to a Virginia defense contractor that does cyber-intelligence, network-defense, and intelligence-intercept work for U.S. national-security agencies .

The code runs on millions of Android devices and has been found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app, and many other popular users. The app, according to two researchers who discovered the code’s behavior during an auditing job, also discovered vulnerabilities in Android apps. He shared his findings with Google, Alphabet Inc. Shared with federal privacy regulators and The Wall Street Journal.

Developers said Measurement Systems pays developers around the world to include its code, known as a software development kit, or SDK. Its presence allowed the Panama-based company to collect data from its users, according to Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary.

Modern apps often include SDKs written by little-known companies like Measurement Systems “that are not audited or well understood,” said Mr. Egelman. Combining them is often attractive to app developers, who get a stream of income as well as detailed data. about their user base.

“This saga underscores the importance of not accepting candy from strangers,” said Mr. Egelman.

The two men—who co-founded a company called AppSense, which investigates the security and privacy of mobile apps—describe the software as the most privacy-aggressive SDK they’ve tested mobile apps in six years. It “can without a doubt be described as malware,” said Mr. Egelman.

He and Mr. Reardon documented their findings on the measurement system code in a report published Wednesday that was shared with the Journal and previously provided to the Federal Trade Commission. In the post, two people detailed the list of apps where they found the code. He also shared his findings with Google in March, which launched an investigation that resulted in the ban. “While the FTC investigations are non-public, we cannot comment on whether we are investigating a specific case,” an FTC spokesperson said.

Apps containing measurement system software were removed from the Google Play Store as of March 25, according to Google spokesman Scott Westover, for collecting users’ data outside of rules established by Google. Mr Westover said the apps could be re-listed if the software was removed. Some are already back in the App Store.

Google’s action does not affect the measurement system’s ability to collect data from the millions of phones around the world where its software is already installed. M/s Egelman and Reardon found that the SDK stopped collecting data on its users and unplugged itself soon after the two people started disseminating their findings.

According to M/s Egelman and Reardon, the measurement system software runs inside more than a dozen apps—including several Muslim-themed prayer apps such as Al Moazin and Qibla Compass. According to two researchers, the Measurement Systems software kit was present on apps downloaded to at least 60 million mobile devices and possibly many more. Google declined to say how many apps in total included the software.

According to their findings, the actual reach of the software could be much larger as it could see the existence of other devices running on the same Wi-Fi network using an app that contains code that could potentially Provides a way to map social networks from

Al Moazin and Perfield, an Egypt-based developer of other religious-themed apps, said it was reported the measurement system was collecting data on behalf of Internet-service providers as well as financial-services and energy companies. The makers of Qibla did not respond to a request for comment.

Measurement Systems told app makers that it primarily wanted data from the Middle East, Central and Eastern Europe and Asia, according to documents reviewed by the Journal—an unusual request because US and Western European data is commonly shared between commercial brokers. order the highest prices. Several developers said the measurement system required them to sign non-disclosure agreements.

The Measurement System SDK was among other popular Android consumer apps, including weather apps, QR code scanners, and highway-radar detection apps. Pixalate, a third-party company that tracks app analytics, provided the Journal with data about the geographic distribution of users of apps running the measurement system. A weather app with codes running inside was particularly popular in Iran.

The SDK was collecting huge amounts of data about each user—including precise location, personal identifiers such as email and phone numbers as well as data about nearby computers and mobile devices, M/s. Reardon and Eggelman met. While consumer-data brokers sometimes collect such data, they typically do not include personal identifiers such as email addresses and phone numbers, as this may violate data-privacy laws.

The Measurement System SDK can also collect information stored in the phone’s clipboard—for example, whenever the cut-and-paste feature is used. And it has the ability to scan certain parts of the phone’s file system, especially the files stored in the WhatsApp download folder, M/s. Reardon and Egelman are discovered. It could not necessarily read the contents of the files, but it could match them with known files using a technique called compare-by-hash.

WhatsApp is widely used around the world as an alternative to text messages, but it encrypts messages as they cross the Internet, protecting user privacy but often protecting users from law enforcement and intelligence agencies. Frustrate the ability to obfuscate the content.

“The database that maps a person’s actual email and phone number to their precise GPS location history is particularly scary, as it can be used to view a person’s location history by running a service knowing only their phone number or email.” which could be used to target journalists, dissidents, or political rivals,” Mr Reardon wrote in a blog post explaining his findings.

The Defense Department and other national-security entities have previously said they purchase vast amounts of data from commercial providers, but have declined to discuss specifics. “As part of their authorized activities, Department of Defense components purchase publicly and commercially available data to inform analysis of foreign threats to national security,” a Pentagon spokesman previously said.

The Internet domain of Measurement Systems was registered in 2013 by a US-based company named Vostrom Holdings Inc., as recently as last month’s web domain records. Those records now list Measurementsys.com as being registered on a service that “protects the privacy of domain name holders.”

According to corporate records, Vostrom does business with the federal government through a subsidiary, Packet Forensics LLC. Measurement Systems S D RL listed two holding companies as executives, both of which share a Sterling, Va., address with people affiliated with Vostrom, according to corporate records. In addition, one of those people controlled a US LLC with the same name: Measurement Systems LLC, according to corporate ownership records. It was dissolved the same week when the Journal sought comment from Vostrom and Packet Forensics.

Measurement Systems said in an email: “The allegations you make about the company’s activities are false. In addition, we are not aware of any relationship between our company and US defense contractors, nor do we Know about a company called Vostrom. We are also not clear about what packet forensics is or how it relates to our company.” Measurement Systems did not respond to questions about how their domain was registered by Vostrom.

Vostrom and its subsidiaries are affiliated with Rodney Joffe, a longtime cybersecurity consultant to the US government, and are run by corporate ownership records and several of his dependents, according to a person familiar with the matter.

“Mr. Joffe has a minority ownership interest in Packet Forensics and serves as non-executive chairman, but has had no operating role in the business for several years. Mr. Joffe has never had a financial interest in Vostrom Holdings Has been, or is not connected to,” said a spokesman for Mr. Joffe.

People familiar with his career say Mr Joffe is a source of specific data and capabilities for government entities, sometimes on classified programs. He has come to prominence during the 2016 election in a long-running controversy about monitoring web traffic on properties belonging to Donald Trump.

As an increasing percentage of information on the Internet has become encrypted, governments have turned to software on mobile devices to collect information about people and the places they visit. The Journal reports that a strong market has emerged for collecting location data from phones, and government agencies have become major buyers of such data.

Data can include geolocation, driving the growth of the multibillion-dollar location-analytics industry to understand people’s movements. Several technology executives whose companies do not normally sell to the government have also described being contacted by US intelligence agencies and asked to voluntarily provide user data about their users in bulk, or to law enforcement. to run warrantless queries of his data.

Measurement Systems offers to pay developers to include software code in their mobile apps, saying the code collects “non-personal information about app users”.

In documents reviewed by the Journal, it told developers that they could earn anywhere from $100 to $10,000 or more, depending on how many active users they could deliver. The company was particularly interested in users who enabled the app to access a user’s location, the documents showed, but emphasized that such permissions need not be enabled in order to collect data.