An investigation by AdGuard, an ad-blocking platform, has revealed a common link between several Chrome and Firefox extensions and Android & iOS apps that were caught collecting highly personal user data through various shady tactics.
The common link between all extensions and mobile apps is a company named Big Star Labs. AdGuard says this company is behind the development of the following tools, which include:
AdGuard estimates these apps had been installed on around 11 million devices.
The problem, according to AdGuard experts, is that these extensions and apps collect highly personal data, but they lie in their privacy policies, where they claim they collect only "non-personal" and "anonymized" data.
For example, AdGuard says the extensions and apps often collected full browsing history and did not anonymize URLs, allowing a third-party observer to determine the identity of the user and personal details about his browsing habits and real-world life.
In one case, an extension that blocked popups and page overlays collected data on all the pages a user visited, instead of just the pages where it blocked popups, which would have been the natural thing to do.
AdGuard points out that this practice of collecting in-depth user browsing history outside the scope of the original app/extension is against the policies of all app/extension stores, yet this extensions/apps are still available for download.
Furthermore, investigators point out that Big Star Labs, the company behind these apps and extensions, intentionally tried to mask its actions and identity.
"Big Star Labs is pretty good at hiding their affiliated apps and websites," Andrey Meshkov, co-founder of AdGuard said. "Every document that contains the company name is an image (in other words, you cannot simply Google their name), they use different accounts in extension stores, and the domain owners aren't publicized."
In addition, Meshkov points out that the privacy policies of all these apps and sites are only available as images, most likely to avoid being indexed by search engines, and to make it difficult for investigators to find pieces of text that may give away the company's extensive data collection and data sharing practices.
Researchers also point out that the mobile apps often employ tactics usually seen in malicious apps. For example, the iOS app prompts the user to install a Mobile Device Management (MDM) profile. This MDM profile allows the app to have full control over the device, to intercept traffic, and access any data, a reason why MDM profiles are often abused for espionage operations.
Second, all the company's Android apps ask the user for the rights to access the Accessibility service. This service is today's primary method through which most banking trojans and most Android malware take full control of infected devices. While AdGuard researchers didn't see Big Star Labs apps performing any malicious actions, they did point out that access to this service makes data collection very easy for the apps.
Meshkov claims these apps and extensions are in the same position as the Stylish extension, which was recently removed from the Mozilla and Chrome extension stores for secretly logging users' browser history.
Furthermore, the apps and extensions are also in clear violation in regards to the EU's latest GDPR privacy law because they do not ask for explicit consent to collect all this information.
Last but not least, the garbled privacy policies don't make it clear what exact data the extensions and apps collect, what's "personal" or "non-personal" data for Big Star Labs, or with who and how Big Star Labs shares this data with other companies.
Under normal circumstances, Mozilla and Google should intervene and remove these apps after confirming AdGuard's findings. The iOS app, which AdGuard first discovered pulling off shady tactics last September but did not know it was part of a larger arsenal of intrusive apps, is not available on the Apple App Store, hence, Apple can't really do anything about it.
Image credits: Warner Bros