Yandex, Russia’s biggest internet company, has embedded code into mobile apps allowing it to harvest data from millions of users. This collected information is then sent to servers in Russia, and researchers have raised concerns about this tracked data being accessed by the Kremlin and used to track people through their phones.
Researcher Zach Edwards made the initial discovery as part of an app auditing campaign for Me2B Alliance. Four independent experts tested his theory for the Financial Times to confirm the work. It relates to software created by Yandex, which is in turn used by developers to create Android and iOS apps.
Yandex has acknowledged that it does collect “device, network and IP address” information that is then stored in Russia and Finland; however, the company added that the data is non-personalised and limited in scope, adding that while it is theoretically possible to identify users using this information, it is extremely hard in practice and the company cannot do that.
From the warfront to a phone screen
According to Cher Scarlett, former principal software engineer in global security at Apple, once user information is stored on Russian servers, Yandex can be obligated to hand this information over to the government under local laws. Other experts have also backed up that metadata collected by Yandex can be used to identify users.
Yandex software is currently being used in 52,000 apps being used by Android and iOS users alike. It comes in the form of a Software Development Kit, or SDK, called AppMetrica and is found in games, messaging apps, location sharing tools, and several VPN apps, seven of which are made specifically for Ukrainian audiences. According to Appfigures, an app intelligence group, the total install of apps that use the AppMetrica SDK are in the hundreds of millions.
For high-threat people or those working in high-profile jobs, these apps phoning their data back to Moscow can be a significant threat that can potentially lead to attacks on home networks or other forms of digital surveillance.
Yandex has defended its SDK, saying that it informs its developers regarding its functioning. The SDK requires user permission to collect data, operating in the same way as its international peers.
However, following the Russian invasion of Ukraine, some app developers have started to remove AppMetrica from their apps. On the other hand, over 2000 apps have added the SDK since the invasion, with 21 VPN apps included in the last 30 days.
In the News: Instagram post button missing: 7 Fixes