A couple of days ago Google pulled some apps that made use of a SDK (Software Development Kit) that harvested user data and sent it to a remote server. This user data included telephone numbers and SMS messages along with GPS location and IP addresses as well as Wi-Fi details, but this is nothing new.
Covert channel access
Back in 2012, an ACM research paper entitled “Analysis of the communication between colluding applications on modern smartphones” covered vulnerabilities in the Android permission system that allowed apps to talk to each other. If one app is denied access to a service, but another is granted access, the app that is denied access can talk to the one granted access and use that to access the service it shouldn’t have access to.
Side Channel access
Back in 2017, another paper from IEEE called “Systematic classification of side-channel attacks: a case study for mobile devices” covered vulnerabilities where an app that has been directly denied access to a service can use an indirect approach to access the service using a side channel through the operating system’s access to that service.
Stealing personal data
Back in 2019, it was discovered in the paper entitled “50 ways to leak your data” presented at the 28th USENIX Security Symposium stated that the CNN app used a SDK called Visbee to access the location of the device when GPS was turned off. Their app would set up a fake wireless name to obtain the hard coded MAC address for both Bluetooth and Wi-Fi devices and then call back to a website with an encoding of this information to obtain their IP address and the user’s location that way.
Additionally, another app in 2019 was caught stealing personal data and that used a library from Measurement Systems to relay that data back to their servers using coelib.c.couluslibrary, which will be referred to later.
JPush stealing data and encrypting it
Back in August 2020, Berkeley University produced a case study which found 415 apps out of over 100,000 downloaded were found to contain JPush SDK installed on them and within 10 minutes of testing, 31 of these apps phoned home with GPS, Wi-Fi, MAC addresses and details from the SIM cards in the devices.
Google puts its foot down
In December 2021, Google finally realised that any apps that were caught harvesting personal data would be banned from the Play store, but this only seemed to affect apps that they “caught” and that meant that other apps could get away with.
Measurement Systems caught again
On 6th April 2022, on the App Consensus blog entitled “The Curious Case of Coulus Coelib” identified that the library had been improved to harvest personal data including SMS, phone numbers, GPS location information and connection details amongst other data.
Google finally takes action
Google removed more than a dozen apps from it’s Play Store that were found to use the Coulus Coelib SDK to harvest user’s data. The majority of these apps re-appeared on the Play Store with this SDK removed.
Conclusion
Back in 2017, it was Android Authority that wrote that average Android app contains at least 17 different SDKs, and it estimated 50% of apps have an SDK attempting to harvest personal data, with 10% have access to the device microphone and 40% have at least 1 SDK that reads the installed apps on the device, so the Android ecosystem is fraught with data theft and has been for years.
It seems that the problems with Android security will be ongoing for some time.