
After independent researchers discovered a security hole in apps from Google Play Store, Alphabet (the company formerly known as Google), has taken steps to plug the hole. The Wall Street Journal reports:
Google has yanked dozens of apps from its Google Play store after determining that they include a software element that surreptitiously harvests data.
The Panamanian company that wrote the code, Measurement Systems S. de R.L., is linked through corporate records and web registrations to a Virginia defense contractor that does cyberintelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.
The code ran on millions of Android devices and has been found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app and a number of other popular consumer apps, according to two researchers who discovered the behavior of the code in the course of auditing work they do searching for vulnerabilities in Android apps. They shared their findings with Google, a unit of Alphabet Inc., federal privacy regulators and The Wall Street Journal.
Measurement Systems paid developers around the world to incorporate its code—known as a software development kit, or SDK—into their apps, developers said. Its presence allowed the Panamanian company to surreptitiously collect data from their users, according to Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary.
Modern apps often include SDKs written by little-known companies like Measurement Systems “that aren’t audited or well understood,” Mr. Egelman said. Inserting them is often enticing for app developers, who get a stream of income as well as detailed data about their user base.
“This saga continues to underscore the importance of not accepting candy from strangers,” Mr. Egelman said.
Read more here.