11 Android Apps Found Secretly Harvesting Data From Millions of Users

pcmag.com:

Security researchers have spotted 11 Android apps collecting sensitive information from user phones, including copy-and-paste data, phone numbers, and email addresses. 

The findings come from security firm AppCensus; it examined a software development kit (SDK) running on the Android apps, which together were downloaded over 46 million times on the Google Play Store. 

“​​Whenever a user copy/pastes something, it goes to a shared clipboard, which this SDK was scouring and uploading to its servers,” AppCensus said in a Wednesday report. “What gets put there is arbitrary data, and can include passwords, for example, if a user uses a password manager.”

The SDK can also collect precise GPS information, along with the phone number and email address associated with the device. In addition, it can try to pull the unique MAC address to the internet router the phone is connected to, exposing another way to identify the user’s activities. However, the data collection will vary, depending on the app.

AppCensus tracked the SDK to a mysterious company in Panama called Measurement Systems that’s been paying Android app developers to incorporate the software development kit. The company’s website says it’s paid $2.1 million to partners so far, and claims thousands of apps have used the SDK.  

However, The Wall Street Journal reports Measurement Systems has ties to a defense contractor in Virginia called Vostrom Holdings that does cyber intelligence work for US government agencies. “Measurement Systems told app-makers it wanted data primarily from the Middle East, Central and Eastern Europe and Asia,” the Journal added, citing internal documents from the company. 

Measurement System didn't immediately respond to a request for comment.