Skip to content

1000+ Android apps with millions of installs are snooping on user data

  • by
  • 5 min read

Google’s Android is in the news yet again and for all the wrong reasons. Researchers have found out that more than 1000 apps using 10 SDKs can access user data such as geolocation and other persistent identifiers without needing user permission. The app SDKs in question have their source companies incorporated in China, UK and USA.

User security and privacy on the operating system has been flawed since its inception, and although they’ve tried to improve over time, new flaws are exploited by malicious apps now and then.

The researchers analysed 88,000 Android apps and found that over a thousand of those apps — including popular apps from different categories — were snooping into user location data through metadata such as Router MAC address and also getting access to persistent identifiers such as IMEI and Network MAC address.

The apps either use Covert or Side channels to get access to data that they otherwise don’t have permission to view. The Covert channel enables an app to access data collected by another colluding app that has the required permissions, while Side channel exploits a flaw in the design of the security system or a flaw in its implementation to acquire data that is permission-protected.

Researchers also found that a total of 42 apps were exploiting the vulnerability and getting the Network MAC addresses, which can be used to uniquely identify a device, while another 12408 apps had the pertinent code to exploit the vulnerability but weren’t yet. Five other apps were found to exploit system vulnerability to access Router MAC address, while five more had pertinent code to do so.

According to the researchers, “Knowing the MAC address of a router allows one to link different devices that share Internet access, which may reveal personal relations by their respective owners, or enable cross-device tracking.”What is a Honeypot attack? How is it carried out and shortcomingsIt was also found that 13 apps were exploiting third-party libraries provided by Baidu and Salmonads that use a device’s SD card as a covert channel. So, if an app can read the device’s IMEI number, it stores it for other apps that cannot. One hundred fifty-nine other apps had a pertinent code to exploit this vulnerability.

“The IMEI is also useful to online services as a persistent device identifier for tracking individual phones. Collection of the IMEI by third parties facilitates tracking in cases where the owner tries to protect their privacy by resetting other identifiers, such as the advertising ID.”

“Baidu writes the user’s IMEI to publicly accessible storage allows any app to access it without permission—not just other
Baidu-containing apps.”

An app was also found to be using metadata from images to get access to precise location data, though it didn’t have permission to access location data. The company, identified as Shutterfly, said in a statement published by Cnet that the data gathered is “in accordance with Shutterfly’s privacy policy as well as the Android developer agreement.”

At the Federal Trade Commission’s 4th annual PrivacyCon last month, the director of usable security and privacy research at the International Computer Science Institute (U.C. Berkeley), Serge Egelman, said that Google was notified about these issues last September, but Google is yet to fix the vulnerability and said that these issues would be addressed in their upcoming Android Q release.

Also read: How secure are your photos on social media? And how to protect them

Google’s delay is a cause for concern

The delay in Google’s action puts a lot of Android users at risk and even when Android Q will be released, it’ll be barely available to even a tenth of Android users worldwide. Currently, devices running Android 9 Pie, the latest stable Android built released last year, are only being used by 10.4% of total users worldwide, while Android version 6 ‘Marshmallow’ is still used by 16.9% devices worldwide. Android Nougat (versions 7.0 and 7.1) and Oreo (versions 8.0 and 8.1) have a combined user share of 47.5%.

It’ll take a relatively long time for people to upgrade to Android Q, which leaves a vast majority of users vulnerable to apps like the ones mentioned above. Add to it the time respective brand owners take to roll out an update for their device.

The research suggests that this vulnerability impacts hundreds of millions of Android users.

Given the stats, a majority of Android users worldwide are vulnerable to such exploits by the apps discovered by this research, as well as by those that haven’t been yet. The world of tech, and more specifically of Android, is ever evolving and at an unprecedented pace but tech moguls such as Google need to keep up in order.

Android is used by 88% of smartphone users worldwide, which is rivalled by Apple’s paltry 11.9. But with that big of a market share, Google needs to step up its game and move faster when mitigating security concerns.

Source: Android Developers

The research paper titled 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permission System is supported by NSA’s Science of Security program, the Department of Homeland Security, National Science Foundation and several others.

Also read: Top 15 Android tips and tricks for power users



Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: