Wall Street Journal: Google has pulled apps that collect Muslim data for US security agencies

Wall Street Journal: Google has pulled apps that collect Muslim data for US security agencies  Google said it has pulled a group of applications that have been proven to collect information for the benefit of security agencies in the United States of America, and mainly target Muslims in the Middle East and Asia.  The company added that it has withdrawn from its Google Play store dozens of applications for using a software element that collects surreptitious data, confirming the association of these applications with national security contractors in the United States, according to a report published by the American Wall Street Journal.  The Panamanian company, Measurement Systems, which owns the software, is associated with a Virginia defense contractor that conducts electronic intelligence, network defense and information interception for US national security agencies.  The software ran on millions of Android devices and was found inside many Muslim-oriented prayer apps that have been downloaded more than 10 million times, as well as a highway finder app, a QR code reading app and a number of other apps popular with consumers, according to two of the researchers. Researchers who discovered the code's behavior while operating a unit of Alphabet and federal privacy regulators.  The developers said that Criminal Systems has paid developers around the world to integrate its code - known as a software development kit, or SDK - into their applications.  The presence of this code allowed the Panamanian company to surreptitiously collect data from its users, according to Serge Eagleman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary. .  Modern applications often include SDKs written by little-known companies such as Criminal Systems that are "not well vetted or understood," Eagleman said.  In most cases, its inclusion is tempting for app developers who get paid, as well as detailed data about their user base.  The two people, who also co-founded a company called AppCensus that tests the security and privacy of mobile apps, consider the malware to be the most privacy invasion they've seen in the six years they've scanned mobile apps.  Eagleman said the software could "without a doubt be described as malicious" and he and Reardon documented their findings about the malware in a report shared with the newspaper and previously submitted to the Federal Trade Commission.  Apps containing the Criminal Systems software were removed from the Google Play Store as of March 25, according to Scott Westover, a Google spokesperson, for collecting user data outside of the rules set by Google.  Criminal Systems has run inside more than 10 apps—including several Islamic-themed prayer apps such as Al Moazin and Qibla Compass, according to Eagleman and Reardon.  The criminalization system's suite of software was present in apps downloaded on at least 60 million mobile devices, and likely many more, according to the researchers.  Google has refused to say how many apps in total contain the software.  Barfield, the Egypt-based developer of the muezzin and other religious-themed apps, says she has been told that Criminal Systems collects data on behalf of Internet service providers as well as financial services and energy companies. The makers of "The Kiss" did not respond to a request for comment by the Wall Street Journal.  Criminal Systems has told the app makers that it wants data from the Middle East, Central and Eastern Europe and Asia, according to documents reviewed by the newspaper, an unusual request because US and Western European data is typically needed for advertising purposes. Several developers said Criminal Systems had asked them to sign nondisclosure agreements.  Pixalate, a third-party company that monitors app analytics, provided the newspaper with data about the geographic distribution of users of the apps that run the measurement systems. One of the weather applications that the daemon was running on was particularly popular in Iran.  Reardon and Eagleman found that the software was collecting a large amount of data about each user, including exact location and personal identifiers such as email and phone numbers as well as data about nearby computers and mobile devices.  Consumer data brokers sometimes collect such data, but they usually do not include personalized identifiers such as email addresses and phone numbers, as this may conflict with data privacy laws.  Earlier, the Pentagon and other national security entities said they buy large amounts of data from commercial providers, but declined to discuss details.  "As part of their authorized activities, Department of Defense elements procure available data to inform analysis of foreign threats to national security," a former Pentagon spokesperson said.  Source : The Wall Street Journal

Google said it has pulled a group of applications that have been proven to collect information for the benefit of security agencies in the United States of America, and mainly target Muslims in the Middle East and Asia.

The company added that it has withdrawn from its Google Play store dozens of applications for using a software element that collects surreptitious data, confirming the association of these applications with national security contractors in the United States, according to a report published by the American Wall Street Journal.

The Panamanian company, Measurement Systems, which owns the software, is associated with a Virginia defense contractor that conducts electronic intelligence, network defense and information interception for US national security agencies.

The software ran on millions of Android devices and was found inside many Muslim-oriented prayer apps that have been downloaded more than 10 million times, as well as a highway finder app, a QR code reading app and a number of other apps popular with consumers, according to two of the researchers. Researchers who discovered the code's behavior while operating a unit of Alphabet and federal privacy regulators.

The developers said that Criminal Systems has paid developers around the world to integrate its code - known as a software development kit, or SDK - into their applications.

The presence of this code allowed the Panamanian company to surreptitiously collect data from its users, according to Serge Eagleman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary. .

Modern applications often include SDKs written by little-known companies such as Criminal Systems that are "not well vetted or understood," Eagleman said.

In most cases, its inclusion is tempting for app developers who get paid, as well as detailed data about their user base.

The two people, who also co-founded a company called AppCensus that tests the security and privacy of mobile apps, consider the malware to be the most privacy invasion they've seen in the six years they've scanned mobile apps.

Eagleman said the software could "without a doubt be described as malicious" and he and Reardon documented their findings about the malware in a report shared with the newspaper and previously submitted to the Federal Trade Commission.

Apps containing the Criminal Systems software were removed from the Google Play Store as of March 25, according to Scott Westover, a Google spokesperson, for collecting user data outside of the rules set by Google.

Criminal Systems has run inside more than 10 apps—including several Islamic-themed prayer apps such as Al Moazin and Qibla Compass, according to Eagleman and Reardon.

The criminalization system's suite of software was present in apps downloaded on at least 60 million mobile devices, and likely many more, according to the researchers.

Google has refused to say how many apps in total contain the software.

Barfield, the Egypt-based developer of the muezzin and other religious-themed apps, says she has been told that Criminal Systems collects data on behalf of Internet service providers as well as financial services and energy companies. The makers of "The Kiss" did not respond to a request for comment by the Wall Street Journal.

Criminal Systems has told the app makers that it wants data from the Middle East, Central and Eastern Europe and Asia, according to documents reviewed by the newspaper, an unusual request because US and Western European data is typically needed for advertising purposes. Several developers said Criminal Systems had asked them to sign nondisclosure agreements.

Pixalate, a third-party company that monitors app analytics, provided the newspaper with data about the geographic distribution of users of the apps that run the measurement systems. One of the weather applications that the daemon was running on was particularly popular in Iran.

Reardon and Eagleman found that the software was collecting a large amount of data about each user, including exact location and personal identifiers such as email and phone numbers as well as data about nearby computers and mobile devices.

Consumer data brokers sometimes collect such data, but they usually do not include personalized identifiers such as email addresses and phone numbers, as this may conflict with data privacy laws.

Earlier, the Pentagon and other national security entities said they buy large amounts of data from commercial providers, but declined to discuss details.

"As part of their authorized activities, Department of Defense elements procure available data to inform analysis of foreign threats to national security," a former Pentagon spokesperson said.

Source : The Wall Street Journal
Previous Post Next Post