Security News > 2022 > April > Android apps with 45 million installs used data harvesting SDK
Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.
The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user's modem router MAC address and network SSID. This sensitive data could lead to significant privacy risks for the users if misused or leaked due to poor server/database security.
According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain "Mobile.measurelib.com," which appears to be owned by a Panama-based analytics firm named Measurement Systems.
If users installed the apps on a previous date the SDK would still be running on their smartphones, so removal and re-installation would be advised in this case.
Another good practice is to keep the number of apps installed on your device at the minimum necessary and ensure that the permissions requested are not overly broad. Bleeping Computer has contacted all publishers of the apps listed above and the SDK provider, and we will update this post with their comments as soon as we receive them.
Immediately after we were able to confirm that the SDK owned by Measurementsys was exploiting some Android vulnerabilities, operating in an unclear and privacy-questionable manner, we urgently removed the defective SDK, released an update, and ended our relationship with this partner.