Researchers have discovered a collection of privacy-related apps and browser extensions that track users’ activity and send it to a remote server. The suspicious software has over 11 million users in total, and include extensions for Chrome and Firefox, as well as mobile apps for iOS and Android.
According to Andrey Meshkov of AdGuard, the extensions all appear to belong to one company: Big Star Labs. This isn’t immediately obvious because many of the apps are published under different names, and their privacy policies are only available as image files, which means the text can’t be indexed by Google. AdGuard was only able to find the connections by trawling through the policies manually.
Meshkov found issues with the following tools (some of which have now been removed from the respective app stores):
- Block Site
- Mobile Health Club apps
- Poper Blocker
Read the fine print
The mobile apps are particularly concerning. All of the Android apps request access to the operating system’s Accessibility Services, which allows apps to perform tasks that would usually require user interaction, such as tapping and swiping (something Google tried to crack down on last year).
Meanwhile, one iOS app offers to install a Mobile Device Management profile, which allows it to see all the apps installed on your phone, see your browser history, and potentially even install new apps.