MEGA-POPULAR MUSLIM PRAYER APPS Were Secretly Harvesting Phone Numbers
Researchers discovered a rash of Android apps with tens of millions of downloads implanted with a defense contractor's data-stealing code. Google banned them.
Google recently booted over a dozen apps from its Play Store—among them Muslim prayer apps with 10 million-plus downloads, a barcode scanner, and a clock—after researchers discovered secret data-harvesting code hidden within them. Creepier still, the clandestine code was engineered by a company linked to a Virginia defense contractor, which paid developers to incorporate its code into their apps to pilfer users’ data.
While conducting research, researchers came upon a piece of code that had been implanted in multiple apps that was being used to siphon off personal identifiers and other data from devices. The code, a software development kit, or SDK, could “without a doubt be described as malware,” one researcher said.
For the most part, the apps in question appear to have served basic, repetitive functions—the sort that a person might download and then promptly forget about. However, once implanted onto the user’s phone, the Sdk-laced programs harvested important data points about the device and its users like phone numbers and email addresses, researchers revealed.
The Wall Street Journal originally reported that the weird, invasive code, was discovered by a pair of researchers, Serge Egelman, and
Joel Reardon, both of whom cofounded an organization called Appcensus, which audits mobile apps for user privacy and security. In a blog post on their findings, Reardon writes that Appcensus initially reached out to Google about their findings in October of 2021. However, the apps ultimately weren’t expunged from the Play store until March 25 after Google had investigated, the Journal reports. Google issued a statement in response: “All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action.”
One of the apps was a QR and barcode scanner that, if downloaded, was instructed by the SDK to collect a user’s phone number, email address, IMEI information, GPS data, and router SSID. Another was a suite of Muslim prayer apps including Al Moazin and Qibla Compass—downloaded approximately 10 million times—that similarly pilfered phone numbers, router information, and IMEI. A weather and clock widget with over one million downloads sucked up a similar amount of data at the code’s command. In all, the apps, some of which could also determine users’ locations, had racked up more than 60 million downloads.