Shady Android Apps Got Your Personal Info From Twitter And FB Via a Malicious Kit
Tech companies are just not getting the importance of data privacy, are they? Yet again, they are playing fast and loose with our data. This time around, it is Facebook and Twitter saying that some apps on the Google Android platform may have accessed user data because of a malicious software development kit maintained by oneAudience. This means that certain apps downloaded from the Play Store on Android phones, and used the Facebook or Twitter single sign on (SSO) option now have access to personal data that wasn’t supposed to be shared with them in the first place. At this time, it is understood that only the Android platform has this vulnerability.
“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so,” says Twitter in an official statement. They go on to say that they have evidence to suggest that this SDK was used to access people’s personal data for at least some Twitter account holders using Android phones. However, there is no evidence that the iOS version of this malicious SDK targeted people who use Twitter on the Apple iPhone.
Twitter says they have informed Google about this vulnerability, and are now reaching out to Twitter for Android users who may have been impacted by this issue.
Facebook is also suggesting that specific user data may have been revealed to these apps, depending on what permissions users allowed and enabled when using Facebook account credentials to sign in. “Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts,” a Facebook spokesperson told CNBC.
Mobiburn insists they have done no wrong. “Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies. This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized,” the company said in an official statement.
This comes at a time when Facebook, Twitter and indeed Google are facing increasing scrutiny from regulators, particularly in the US, regarding their handling of user data and how it is used to track usage and enable targeted advertising, both often without user consent.