Six Android apps on Google's Play Store found to secretively harvest data from users

Six apps from Chinese developer DO Global have been found to secretly collect user data and send it to Chinese servers. While these apps have now been removed, this issue has once again turned a spotlight on a serious privacy problem that continues to plague the Google Play Store: unwarranted app permissions.

Sam Medley, Published 04/27/2019

Android has a major problem, and it lies at the heart of its most popular application management system. This week, several security firms, in a joint effort with Buzzfeed news, confirmed that six popular Android apps have been unknowingly collecting user data and sending it to Chinese servers.

The apps in question are from one publisher: DO Global, a Chinese-based app developer. The apps collected user data by surreptitiously prompting ad clicks without the users knowing. These clicks occurred even when the app was not active.

This practice flies in the face of both Google’s terms of service for the Play Store and the EU’s General Data Protection Regulation, or GDPR. Under the GDPR, software must make users explicitly aware of when, how, and for what purpose it may collect data. Software must also obtain direct consent from users.

Google responded to the findings by saying:

Developers are required to disclose the collection of personal data, and only use permissions that are needed to deliver the features within the app. If an app violates our policies, we take action that can include banning a developer from being able to publish on Play.

Google has since removed the apps (listed below) from the Play Store, but that has not sated some critics; some Android users have called for punitive measures to be levied on DO Global as an example to other publishers that might attempt similar practices.

The biggest problem highlighted in this investigation is the inordinate amount of permissions that some applications request. As KitGuru pointed out, an app called “Emoji Flashlight”, which is a simple torch application, requests 30 different access permissions upon download. (Google notes that 7 of these are critical.) Why a flashlight would need more than one access permission (the LED light on a phone) is beyond comprehension, unless it is attempting to access user data for one purpose or another.

Be careful when downloading applications, even from trusted sources like the Google Play Store and carefully read through an app’s permission requests before accepting any of them.

The apps that were noted in this investigation include the following:

Selfie Camera
Total Cleaner
Smart Cooler
RAM Master
AIO Flashlight
Omni Cleaner

Source(s)

KitGuru

If any of these app icons are on your iPhone or iPad, uninstall them immediately. (Image via Wandera)

Trojan malware found in 17 apps on Apple App Store 10/25/2019

The Int App Lock icon alongside some code it reportedly runs. (Source: Pradeo Lab)

The "Joker" malware is found to exist within yet another Android app 10/23/2019

Malware is now a problem when downloading textbooks. (Source: Wikipedia)

Kaspersky claims to have found malware in digital college textbooks 09/06/2019

Facebook paid human contractors to listen to and transcribe audio from users 08/14/2019

DuckDuckGo adds new features to its mapping system, courtesy of Apple Maps 07/18/2019

Does Google Home eavesdrop? A Belgian news report suggests that it does. (Source: Pocket-lint)

Google Assistant-enabled devices allegedly found to listen in on users 07/13/2019

SwiftKey is a well-known keyboard app. (Source: PupilSpot)

SwiftKey may lose Gmail optimizations soon 06/29/2019

The new setting in Google Location History. (Source: Google)

Auto-delete your Google Location History with this new setting 06/26/2019

CooTek hid BeiTaAd within over 200 apps on Google Play Store like TouchPal

BeiTaAd adware found in over 200 Android apps on the Google Play Store 06/05/2019

Massive data breach may have affected millions of Instagram users, including some major influencers 05/20/2019

The Reolink Go wireless security camera. (Source: Reolink)

The Reolink Go wireless 4G LTE security camera is now available worldwide 05/18/2019

Affected Titan Security Keys have a printed

Security flaw found in Google's Titan Security Keys 05/17/2019

New ZombieLoad attack can exploit all Intel chips dating back to 2011 05/14/2019

Having the latest Android Q preview may be cool, but perhaps less so when going about your daily life. (Source: Android Central)

Some Google Pay users find the latest Android Q beta is not daily driver-ready the hard way 05/09/2019

Google Fi has made charging errors for a number of its customers. (Source: Google)

Some Google Fi customers are being charged full prices rather than their finance-agreement rates for phones 05/06/2019

Vade Secure's Phisher's Favorites rankings for 1Q2019. (Source: Vade Secure)

Phishing on social media sites increased by nearly 75% in the 1st quarter of 2019 05/02/2019

Android Q's Scoped Storage feature delayed until Android R in 2020 04/27/2019

Hero to villain: Security researcher responsible for stopping WannaCry pleads guilty to malicious hacking charges 04/23/2019

HP introduces Sure Sense anti-virus software powered by deep learning (Source: HP)

HP introduces Sure Sense anti-virus software powered by deep learning 04/16/2019

Peel Smart Remote app has been secretly uploading user camera pictures to an unknown server (Image source: Peel Technologies)

Peel Smart Remote app has been secretly uploading user camera pictures to an unknown server 04/09/2019

Razer is now working on a fix for the affected models released prior to 2016. (Source: Razer)

Razer's laptops confirmed to be affected by critical vulnerability 04/09/2019

Purism partners with Private Internet Access to develop a tracker-free VPN for PureOS and Librem 5 smartphone 04/04/2019

A stat from the 2018 Android Security Report. (Source: Google)

Google releases its 2018 Android Security Report 03/30/2019

The latest Huawei Matebook models include the patched management driver. (Source: PCWorld)

Microsoft spots critical flaw in Huawei's Matebook device manager driver 03/27/2019

Asus releases patch to fix Operation ShadowHammer vulnerability in Live Update Utility 03/26/2019

Operation ShadowHammer: Tens of thousands of computers had a security backdoor installed via Asus' Live Update Utility 03/25/2019

In plain sight: Hundreds of millions of Facebook user passwords were stored in plain text 03/21/2019

The OnePlus 6T on T-Mobile can now use RCS messaging. (Source: T-Mobile )

The T-Mobile OnePlus 6T is in line for RCS messaging via an update 03/10/2019

Hilsenteger with his S10+, a Pixel 3 and the video that apparently hacked Face Unlock. (Source: YouTube)

Face Unlock fails again? YouTuber highlights a possible flaw in Galaxy S10+ security 03/09/2019

Ghidra, the NSA's homegrown decompiler tool, is now open source 03/06/2019

Loading Comments

Comment on this article

Save US$200 or £150 on the Google P...

Android Q's Scoped Storage feature ...

Sam Medley - Senior Tech Writer - 1344 articles published on Notebookcheck since 2016

I've been a computer geek my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a database administrator. I started working with Notebookcheck in October of 2016 and have enjoyed writing news and reviews. I've also written for other outlets including UltrabookReview and GeeksWorldWide, focusing on consumer guidance and video gaming. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not writing on electronics or tinkering with a device, I'm either outside with my family, enjoying a decade-old video game, or playing drums or piano.

Please share our article, every link counts!

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2019 04 > Six Android apps on Google's Play Store found to secretively harvest data from users

Sam Medley, 2019-04-27 (Update: 2019-04-28)

Six Android apps on Google's Play Store found to secretively harvest data from users

Source(s)

Related Articles