Developers, be careful what you include in the code of your Android applications! AppCensus security researchers have just revealed the existence of a development kit called Coelib.c.couluslibrary, which quietly siphons off a whole set of particularly sensitive data: phone numbers, email addresses, local network MAC addresses, GPS data, clipboard data. Enough to transform the mobile app into real spyware.
“The idea that this data collector could have created a database mapping a person’s real email and phone number to their precise GPS location history is particularly chilling.
Such a database could be used to generate a person’s location history simply by knowing their phone number or email, and could be used to target journalists, dissidents or political rivals.” believe the researchers in a blog post.
This development kit – or SDK – has been detected in a dozen applications from the Google Play Store, totaling more than 60 million downloads.
The relevant list includes utility software (bar code readers, virtual mouse, weather forecast, etc.) and Islamic prayer software. This strange SDK has since been removed from apps in the Play Store. But who is behind this software?
Officially, the publisher is a Panamanian company called Measurement Systems. On its website, it tries to attract developers with tempting levels of remuneration (“We pay the highest CPMs for your data”) and claims to respect the confidentiality of user data.
Also see video:
But some clues suggest that it is only a storefront. According to wall street journalthe Measurement Systems domain name was registered in 2013 by Vostrom Holdings, a US company that provides services to the US government through its subsidiary Packet Forensics.
In addition, in the management committee of Measurement Systems are found two companies whose addresses match those of people linked to Vostrom. One of these people has registered a company in the United States by the name of Measurement Systems LLC. This was written off when journalists from the WSJ began to investigate the matter.
Other information: among the shareholders of Packet Forensics is a certain Rodney Joffe, a cybersecurity consultant who specializes in data collection for government agencies. He would work in particular on projects classified as defense secret.
All this bundle of clues therefore suggests a data collection operation for the benefit of American intelligence agencies. There is currently no evidence to confirm this, but it would not be surprising.
In the past, the WSJ had already exposed the bulk purchase of geolocation data by government agencies from private companies. Mobile applications are becoming an even more interesting source of information as Internet traffic is increasingly encrypted.