A new research has revealed some troubling information about several popular smartphone apps that are covertly taking screenshots of users’ activity. More specifically, researchers from Northeastern University in the US analysed over 17,000 of the most popular apps on the Android operating system, with the help of an automated test program developed by students. Out of all the analyzed apps, 9,000 apps were found to have the potential to take screenshots.
Thousand of Popular Android Apps Can Share Your PII with Third Parties
This data is then shared with third parties, a disturbing fact that puts in jeopardy users’ personally identifiable information such as usernames, passwords, and credit card numbers, among other details.
The latter are exposed since the screenshots taken by the invasive apps could expose practically every bit of information stored on a mobile device. “We found that thousands of popular apps have the ability to record your screen and anything you type,” explained David Choffnes, a professor at Northeastern University in the US and member of the team behind this latest research. Anything the user types may include the user’s username and password for various accounts since the screen can record the characters typed before they turn into black dots.
But why did the researchers decide to look into these popular apps in the first place? The study is meant to investigate a “persistent urban legend” that smartphones are secretly spying on us, recording conversations and selling the information to marketing companies. This all may sound like a conspiracy theory but the truth is as disturbing as it gets. In David Choffnes’s own words, the team “knew we were looking for a needle in a haystack, and we were surprised to find several needles”.
The researchers indeed discovered that some companies are sending both screenshots and videos of users’ mobile activities to third parties, proving how easy it is to breach a smartphone. The researchers also said that they are anticipating for this opening to be used for malicious activities, as it is quite simple to install and collect this information. Needless to say, all of this is happening without the users’ initial knowledge or consent.
In a particular case detected by the team, the information sent to a third party was zip codes, but it could have been credit card numbers
One of the faulty apps caught “delivering” sensitive information to third parties has been identified as GoPuff, a fast-food delivery service, which sent users’ screenshots (without their consent) to Appsee, a data analytics firm for mobile devices.
Even though the “shared information” wasn’t used for any nefarious purpose as it is typically used by developers to debug their apps, it doesn’t mean that malicious actors won’t take advantage of this window of opportunity. “That has the potential to be much worse than having the camera taking pictures of the ceiling or the microphone recording pointless conversations. There is no easy way to close this privacy opening,” concluded Choffnes.