Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.
The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user’s modem router MAC address and network SSID.
This sensitive data could lead to significant privacy risks for the users if misused or leaked due to poor server/database security.
Furthermore, clipboard contents could potentially include very sensitive information, including crypto wallet recovery seeds, passwords, or credit card numbers, which should not be stored in a third-party database.
According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain “mobile.measurelib.com,” which appears to be owned by a Panama-based analytics firm named Measurement Systems.
The firm is promoting a data-collecting SDK named Coelib as a monetization opportunity for the apps, promoting it as an ad-free way for the publishers to generate revenue.
AppCensus researchers say that many of the strings in the SDK’s library are obfuscated using AES encryption and then base64 encoded.
“And what is the threat model that requires encrypting your strings anyway?! At least, it’s a relief that they only do 10 rounds of key derivation, because this outrageous block of code executes every single time that a string is used by this library (delaying the app and wasting battery life),” explain’s AppCensus in their report.
Apps using this SDK
The most popular and downloaded applications found to be using this SDK to send sensitive user data are the following:
- Speed Camera Radar – 10 million installations (phone number, IMEI, router SSID, router MAC address)
- Al-Moazin Lite – 10 million installations (phone number, IMEI, router SSID, router MAC address)
- WiFi Mouse – 10 million installations (router MAC address)
- QR & Barcode Scanner – 5 million installations (phone number, email address, IMEI, GPS data, router SSID, router MAC address)
- Qibla Compass Ramadan 2022 – 5 million installations (GPS data, router SSID, router MAC address)
- Simple weather & clock widget – 1 million installations (phone number, IMEI, router SSID, router MAC address)
- Handcent Next SMS-Text w/MSS – 1 million installations (email address, IMEI, router SSID, router MAC address)
- Smart Kit 360 – 1 million installations (email address, IMEI, router SSID, router MAC address)
- Al Quran mp3 – 50 Reciters & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address)
- Full Quran MP3 – 50+ Languages & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address)
- Audiosdroid Audio Studio DAW – 1 million installations (phone number, IMEI, GPS data, router SSID, router MAC address)
It’s important to note that all of these apps were reported to Google on October 20, 2021, and were subsequently investigated and removed from the Play Store.
However, their publishers managed to reintroduce them on the Play Store after removing the data-harvesting SDK and submitting new, updated versions to Google for review.
If users installed the apps on a previous date, though, the SDK would still be running on their smartphones, so removal and re-installation would be advised in this case.
Unfortunately, as data collection libraries quietly run in the background collecting data, it’s difficult for users to protect themselves from them. Therefore, it is advised that you only install apps from trustworthy developers who have a long history of highly reviewed apps.
Another good practice is to keep the number of apps installed on your device at the minimum necessary and ensure that the permissions requested are not overly broad.
Bleeping Computer has contacted all publishers of the apps listed above and the SDK provider, and we will update this post with their comments as soon as we receive them.
The publisher of one of the listed apps, ‘Simple weather & Clock Widget’ provided the following statement to BleepingComputer:
“We really wanted to apologize to our users for this incident. It was not our fault. Like a few other developers, we have been misled.
Immediately after we were able to confirm that the SDK owned by Measurementsys was exploiting some Android vulnerabilities, operating in an unclear and privacy-questionable manner, we urgently removed the defective SDK, released an update, and ended our relationship with this partner.
We care about full transparency and security, we create apps and we also use them. This incident had a very bad effect on our app, we will make every effort to ensure that this situation never happens again.”