Which Muslim Prayer Apps are secretly harvesting your phone numbers?

Do you know which Muslim prayer apps are secretly harvesting your phone numbers? Not all, but there could be a few. Google has recently banned several mobile applications from its Play Store after researchers revealed they contained hidden code to collect private consumer data secretly. The personal user data included an email address, phone number, location, and more, The Wall Street Journal reported.

Researchers’ verdict revealed prayer apps, weather apps, highway radar apps, QR scanners, and many others have codes that could stealthily harvest a user’s data like phone number, precise location, email address, etc. Measurement Systems made it, a company reportedly associated with a Virginia defense contractor that carries out cyber-intelligence and more for US national-security agencies. It has disowned the said news.

As research went ahead, researchers observed a software development kit (SDK) implanted in several applications to stealth away personal data from gadgets. That software development kit (SDK) had malware, and most apps were periodic functions. However, as the malware entered into devices, the internal programs stole away crucial data points about the user and the device.

The company behind the activity, Measurement Systems, allegedly hired developers to implant the code into their software development kits (SDKs), as The Wall Street Journal reported. The company paid developers a hefty amount to carry out this criminal act of embedding malware into their software and collecting consumers’ data points.

« A database mapping someone’s actual email and phone number to their precise GPS location history are particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals, » Reardon wrote in the AppCensus research blog.

The code is executed on countless Android gadgets, and numerous Muslim prayer apps contain it, which users have downloaded gazillion times. Several other trending user apps, including a highway-speed-trap detection app, and a QR-code scanner, possess the secret. Then the two researchers found out as they learned about the code structure while auditing theirs to check vulnerabilities in Android applications. They exchanged their research with Google and The Wall Street Journal.

According to Serge Egelman, one of the two researchers at the International Computer Science Institute:

Modern applications usually involve SDKs embedded by small companies like Measurement Systems « that aren’t audited or well understood. It is often enticing for app developers, who get a stream of income and detailed data about their user base. This saga underscores the importance of not accepting candy from strangers. »

« We later observed more unusual transmissions and observed that different apps running the same version of the SDK (version 2.78 in our examples) will collect different information. For instance, the Simple weather & clock widget app running this SDK includes the clipboard’s contents: whenever a user copies/pastes something, it goes to a shared clipboard, which this SDK was scouring and uploading to its servers. What gets put there is arbitrary data and can include passwords, for example, if a user uses a password manager. »

Their findings continued as they told that, « Other troubling transmissions we observed were the phone number of the device sent with the JSON key « PhoneNumber, » and the email address associated with the phone sent base64-encoded under the JSON key « Name. » It is worth noting that in apps that have access to the location permission, this SDK also collects precise GPS location and coarser router-based location data. The thought that this data collector could have built a database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as such a database could be used to run a service to look up a person’s location history just by knowing their phone number or email, and could be used to target journalists, dissidents, or political rivals. »

Who receives your data points?

« At this point, we wanted to figure out who owns mobile.measurelib.com, which was rather tricky. We searched for strings in the network traffic to measurelib.com, such as ARPSurvey, measurelib, and ClientIPv4, to see which SDK was responsible for them. Yet, none that we sought were present! The app’s privacy policy was also unhelpful in identifying this traffic to measurelib.com: while listing other location and router data collectors like Huq, they somehow omitted measurelib.com.

To find out more, we looked for other apps that talked to mobile.measurelib.com. We found a few, including Audio Quran, Qibla Compass, and a QR code scanner, all of which have location permissions. This means that if the user grants the app access to location data, then this SDK does not need a side channel to get the router’s MAC address. In such apps, when we performed our test, we found that they also shared precise GPS location information with measurelib.com, as well. »

Remove these apps from your devices.

Egelman and Reardon’s research article mentioned the list of apps where they discovered the code.

« The following table are the apps that we confirmed communicating with mobile.measurelib.com. We reported this issue to Google on October 20th, 2021, and this list of apps. They investigated it and removed these and other apps containing the SDK from the Play Store. The DNS records for mobile.measurelib.com have also been recently updated to point to the non-routable value of 127.0.0.1, and the public whois data for measurementsys.com has been updated so that it no longer includes VOSTROM Holdings, Inc. »

List of Apps to delete from your phone

• Speed Camera Radar
• Al-Moazin Lite (Prayer Times)
• Qibla Compass (Ramdan 2022)
• Simple Weather & clock widget
• Al Quran Mp3 – 50 Reciters & Translation Audio
• Full Quran MP3 – 50+ Languages & Translation Audio
• Audiosdroid Audio Studio DAW – Apps on Google Play
• Smart Kit 360
• WiFi Mouse(remote control PC)
• QR & Barcode Scanner
• Handcent Next SMS-Text w/ MMS

About Measurement Systems

Measurement Systems’ internet domain was registered in 2013 by a U.S.-based company called Vostrom Holdings Inc., according to a recent web domain records from March 2022. Those records enlist measurementsys.com as a registered service that “protects the privacy of domain name holders.”

Vostrom has business terms with the federal government through a subsidiary, Packet Forensics LLC, corporate records. Measurement Systems S de R.L. also mentioned two holding companies as officers, both of which share a Sterling, Va., address with people affiliated with Vostrom, according to corporate records. Moreover, one of those people controlled a U.S. LLC with the same name: Measurement Systems LLC, according to corporate ownership records. However, it was discarded as soon as the Journal received comments from Vostrom and Packet Forensics.

Measurement Systems explained its stance in an email: “The allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors, nor are we aware of…a company called Vostrom. We are also unclear about what Packet Forensics is or how it relates to our company.” Measurement Systems didn’t respond to questions about how Vostrom registered their domain.

Wolfie Christl (@WolfieChristl), researcher, writer, and activist, broke this news on his Twitter on April 7, 2022. He tweeted:

Once again, researchers caught a data broker tied to US national security harvesting extensive personal information, including precise location via weather apps, QR readers, speed-trap detectors, and Muslim prayer apps installed on >60m Android smartphones.

App vendors added the software for profit. Measurement Systems offered to pay « from $100 to $10,000—or more—a month depending on how many active users.

And according to the WSJ, it told app vendors it wants data primarily from the Middle East, Asia, and Central/Eastern Europe.”

About Management Systems, Christl wrote in his tweet:

“Measurement Systems is a Panamanian company, but corporate+domain records link it to a Virginia defense contractor. The Panamanian company says it is not « aware » of the company that registered its domain. A US company with the same name dissolved after the WSJ seeking comment.”

Google released an official statement in response to the activity: “All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action.”