Skip to content

Thousands of Android Apps Are Tracking Kids Without Parental Consent

April 16, 2018

Apps are also sharing data with third-party services

The Google Play Store might be full of apps and games that are tracking children without the express permission from the parent, and Google doesn’t seem to be doing much about it.

Following Facebook’s data leaking scandal with Cambridge Analitica, a lot of people have turned their attention to other social networks that might be doing the same thing.
It turns out that we ought to be looking towards mobile apps as well, at least on Android, as a newly released study revealed.

It’s one thing to track adults on Facebook or through other means, but tracking children it feels even more despicable.
And the companies doing this actively have a very good reason for it, and it’s usually all about making money.

Thousands of Android apps are tracking children

According to Education Week, a study named “’Won’t Somebody Think of the Children?’ Examining COPPA Compliance at Scale” was published in the Proceedings on Privacy Enhancing Technologies journal. It underlines that a large number of Android apps might be violating the federal laws in the United States by tracking minors and gathering data without the express permission of their parents.

COPPA stands for Children’s Online Privacy Protection Act, and it’s supposed to protect children under the age of 13, and it refers specifically to gathering personal information without parental consent.

What’s even worse is that there are literally thousands of such apps, with most of them still available for download today.
The study covered 5,855 popular Android apps released between November 2016 and March 2018.

The study uncovered some worrying facts.
About 5% of the apps were gathering the user’s location and contact data (telephone number or email address), without any kind of parental consent.

Another 1,100 apps, which made up about 19% of the total, were sharing sensitive information with third-parties, even if the terms of service prohibit such exchange.
This type of data is used for behavioral advertising or targeted advertising.
Ever wonder why your kid is getting ads for exactly the toy he wanted?

49% of the apps in the study (2,281) were actually in violation of the Google’s terms of service, which prohibits sharing so-called persistent identifiers.
It’s not personal information per say, but used in conjunction with other data and over long periods of time can be useful to determine a profile for the user.

And, to make things even worse, of the 1,280 apps that were using Facebook integration, about 92% didn’t protect kids under 13 by using the proper configuration settings.

It’s worse than you imagine

The study only covered 5,800 apps release in a span of about two years, and that’s a mear pittance of the total number of apps in the store.
Not to mention the fact that the researchers were only looking at the most popular apps.

There are probably thousands more that might not be as popular, but they are possibly doing even more harm.
And the real question is the following: What is Google doing to control this problem?
The answer is probably not all that much.



YouTube illegally collects data from kids, group claims

April 11, 2018

YouTube is illegally making “substantial profits” from children’s personal data, according to a group of 23 child advocacy, consumer and privacy groups that have filed a complaint asking the Federal Trade Commission (FTC) to make it stop.

Kids are on the platform en masse, the group said, citing a study that found that 96% of children aged 6-12 are aware of YouTube and that 83% of children that know the brand use it daily.
In fact, last year, YouTube topped the list of favorite online kid brands, according to the study:

For the second year in a row, YouTube leads all 347 cross-category brands evaluated in the BRAND LOVE® study, solidifying its position as the most powerful brand in kids’ lives.
The platform’s ascent to the top is impressive, moving from a KIDFINITY score of 749 (and #86 ranking) in 2010 to the #1 brand that is disseminating trends, changing play patterns, and transforming the ways kids come of age.

No wonder kids have come to adore YouTube: the Google-owned company has been working hard to get their love and their little eyeballs on advertisements, the coalition says.

A case in point is YouTube Kids: launched in February 2015, it was designed to be a sanitized place where youngsters would be spared the hair-raising comments and content found on the rest of YouTube.

But YouTube recently found itself hiring thousands of moderators to review content on the broader site after nasty children’s content and child abuse videos got through both on YouTube and even on YouTube Kids.

Such moderation is not enough, say critics.
The Guardian quoted Josh Golin, executive director of the Campaign for a Commercial-Free Childhood (CCFC), which is one of the groups that filed the complaint.
Golin says YouTube is being disingenuous when it talks about children’s use of the platform:

For years, Google has abdicated its responsibility to kids and families by disingenuously claiming YouTube – a site rife with popular cartoons, nursery rhymes, and toy ads – is not for children under 13. Google profits immensely by delivering ads to kids and must comply with COPPA.
It’s time for the FTC to hold Google accountable for its illegal data collection and advertising practices.

The complaint continues…

YouTube also has actual knowledge that many children are on YouTube, as evidenced by disclosures from content providers, public statements by YouTube executives, and the creation of the YouTube Kids app.

At the time that YouTube Kids launched, Product Manager Shimrit Ben-Yair said that YouTube developed the app because “Parents were constantly asking us, Can you make YouTube a better place for our kids?

Another of many examples of YouTube’s “actual knowledge” that kids are on the platform is a keynote by Malik Ducard, YouTube’s Global Head of Family and Learning, who explained that YouTube rolled out the kids version “as a mobile experience because of this reality – that we’re all familiar with – 75% of kids between birth and the age of 8 have access to a mobile device and more than half of kids prefer to watch content videos on a mobile device or a tablet.”

The group is urging the FTC to investigate the matter as it is illegal to collect data from kids younger than 13 under the Children’s Online Privacy Protection Act (COPPA).

However, this is exactly what is happening to under-13s who use YouTube – the group’s complaint says that Google collects personal information including location, device identifiers and phone numbers, and tracks them across different websites and services without first gaining parental consent, as is required by COPPA.

In response, a YouTube spokesperson had this to say in a statement sent to the Guardian:

While we haven’t received the complaint, protecting kids and families has always been a top priority for us.
We will read the complaint thoroughly and evaluate if there are things we can do to improve.
Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.

YouTube illegally collects data from kids, group claims

How to tell if Cambridge Analytica accessed your Facebook data

April 10, 2018

Here’s how to check if you or a Facebook friend were connected to the “This is Your Digital Life” quiz, which is how Cambridge Analytica harvested data.

Facebook has begun rolling out a feature to some users that will notify them if their data was accessed as part of the Cambridge Analytica data scandal.
Facebook previously promised it will notify users whose data may have been utilized for political gain

Facebook users have started seeing one of two messages at the top of their News Feed — both using the header Protecting Your Information.
One message will focus on Cambridge Analytica, while the other focuses on general Facebook privacy, data, and app control.

If you’re waiting for Facebook’s News Feed notification, you can visit this link to see if your information was shared.

Up to 87 million Facebook users had their data improperly accessed, the social network has revealed.

If you or a Facebook friend were connected to the “This is Your Digital Life” quiz, which is the source of Cambridge Analytica’s data, you’ll see this message at the top of your news feed:

“We have banned the website ‘This Is Your Digital Life,’ which one of your friends used Facebook to log into.
You can learn more about what happened and how you can remove other apps and websites any time if you no longer want them to have access to your Facebook information

If your data wasn’t accessed by Cambridge Analytica, Facebook will link to broader settings so you can protect your information on the social network and across its vast app ecosystem.

It’s been about a month since it was revealed Cambridge Analytica harvested information belonging to millions of Facebook users to determine how they may vote at the ballot box during US President Donald Trump’s election campaign. The scandal has rocked Facebook’s stock price and its trust with users.

Facebook CEO Mark Zuckerberg is set to testify in front of congress this week to answer lawmakers’ questions about the Cambridge Analytica scandal.
He’s repeatedly apologized for the scandal, and is promising more tools and transparency for Facebook users to protect their data.

Facebook hasn’t immediately responded to requests for comment on the rollout of the “This Is Your Digital Life” tool.


Kaspersky Finds Crypto Miners in Android Apps Published on Google Play Store

April 7, 2018

One of the apps was downloaded over 100,000 times

Security company Kaspersky has come across several Android apps published on the Google Play Store that come bundled with cryptocurrency miners.

The Russian vendor says most of the apps were published in the sports section and offered capabilities like streaming in an attempt to hide the spike in resource usage caused by crypto mining.

A Portuguese soccer streaming app, for instance, was downloaded more than 100,000 times, Kaspersky says, and it bundled a miner that kicked in once users started streaming.
This way, the malicious code was harder to detect by users because a spike in CPU usage is expected when streaming.

The apps access the server.
This same domain is used in the developer’s email address specified in the Google Play store.
Unbeknown to visitors, the site runs a script that mines cryptocurrency
,” Kaspersky notes.

The security company says that crypto miners were bundled into many other apps, including a discount aggregator that instead of opening sites with products available at a reduced price, it actually loaded pages with cryptocurrency mining code.

Apps already removed from the Google Play store

Also interesting was an app called Crypto Mining for Children that claimed to mine crypto for charity.

The description contained no word about where or how the coins would be spent — something that any bona fide fundraising organization would publish.
What’s more, the name of the developer bore a striking resemblance to that of a well-known mobile app (a cryptocurrency wallet), but with one letter missing.
That’s a common trick used by phishers
,” the firm says.

Google has already been informed about these apps, and Kaspersky says that all them were removed based on these findings, which means users should already be secure.

Customers that installed apps like these are recommended to run security solutions that could detect crypto miners, or at least keep an eye on unusual CPU activity that could be a sign of malicious code bundled into apps.


New Android Virus Extracts Your Facebook, Skype, Telegram Messages

April 3, 2018

Security company warns of new Android malware in the wild

Android devices are being targeted by a new form of malware that is specifically aimed at stealing private conversations on IM applications like Facebook Messenger, Skype, Telegram, Twitter, Viber, and others.

The malware, which was detected by Trustlook (via FossBytes), has the capabilities to modify the “/system/etc/” file in order to start at every boot, thus making sure that it can extract instant messaging data even if the device is restarted.

The first infected application is called Cloud Module and is spreading in China as package name
It hasn’t yet reached the Google Play Store, and most likely the malware is supposed to target devices using non-store distribution tactics, such as email and downloads from third-party hosting sites.

Chats uploaded to remote server

In other words, Android users who only install apps from the Google Play store should be safe.
While Android security solutions could detect the Trojan, Trustlook warns that the malware was designed to avoid detection, including anti-emulator and debugger detection techniques that make it possible to bypass dynamic analysis.

Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software,” Trustlook notes in its analysis

Once the malware manages to compromise an Android device, it automatically looks for conversations in the said applications.
The data is extracted and then sent to a remote server.
The security vendor says the server’s IP address is mentioned in the malware configuration file, allowing the Trojan to operate without any further command send by the author.

The full list of instant messaging apps that are being targeted by the malware is available below, and keep in mind that as long as you stick with legitimate download sources for Android apps, this new form of malware is highly unlikely to compromise your device.
Also, if you’re running third-party security software, updating it should help block any possible intrusion.


That new ‘privacy icon’ in iOS 11.3 does nothing to prevent password phishing

March 30, 2018

iPhone users are still vulnerable to being tricked into handing over passwords.
Apple knows it — but won’t do anything about it

iPhone or iPad users, if you update to iOS 11.3 now, you’ll have new features and a bunch of security updates.
But you’ll still be just as vulnerable to on-device phishing attacks as you ever were

A long-expected privacy icon debuts in the software update out Thursday which help users identify when Apple requests more of their personal information.
The update doesn’t change how much data Apple collects, but it helps show what data will be collected when Apple apps and features are used for the first time.

You won’t see this icon with every feature since Apple only collects this information when it’s needed to enable features, to secure our services, or to personalize your experience,” a screen says, once you update.

Maybe the timing is a coincidence, but this seems like a way to grab some good headlines amid Facebook’s recent data sharing controversy.

Will Strafach, a security researcher with a focus on mobile, knows iOS better than most. He told ZDNet that the privacy icon will have some benefits.

Although the purpose was misinterpreted as some kind of indicator — it is not — the actual purpose of giving information on how data is used is a very good thing I believe,” he said.
Many people these days wonder about how their data is used and just have no idea, so if Apple is going to ask for something sensitive, it seems very helpful to give information to the user on data management — and users can then hold them to it instead of it being ambiguous.”

The downside is that, contrary to several reports, the privacy icon actually has nothing to do with preventing phishing attacks that try to steal your iCloud password.
For its part, Apple never confirmed that the privacy icon would do anything of the sort.

We reached out to Apple, but a spokesperson would not comment on the record.

Although phishing attacks on the desktop have been around for years, they’re less so targeted to the individual device.
And as widely celebrated for their security as iPhones and iPads are, the device’s weakest link is often a result of tricking the average user into turning over their password.

It’s a problem that Apple doesn’t seem to want to tackle — despite a rash of attention earlier this year, when Felix Krause demonstrated in a blog post how easy it was to trick an iPhone or iPad user into turning over their Apple ID credentials.

In a proof-of-concept, he said users are “trained to just enter” their email address and password “whenever iOS prompts you to do so.”
Any long-term iPhone or iPad user can tell you that their phone or tablet will randomly prompt for your password, but often it’s not clear why.
And that’s something attackers are keen to capitalize on.

One report called the attack a “hacker’s dream.

Showing a dialog that looks just like a system popup is super easy.
There is no magic or secret code involved.
It’s literally the examples provided in the Apple docs, with a custom text
,” said Krause.

He described it as “less than 30 lines of code” that every iOS engineer would know.

Even with two-factor authentication, users aren’t necessarily safe, said Krause.
If you wanted to inflict damage, you only need a user’s Apple ID email address and password to wipe a person’s device without warning.

Apple says in a developer post that it’s difficult to combat phishing — or social engineering as it’s often referred to.

Others say it’s not that difficult.

I would like to see the password requests show up as a banner alert or notification sent by the Settings app, which should send the user to the Settings app when pressed in order to enter their credentials,” said Strafach.

No icon or anything else is sufficient because the running app is able to mess with all user interface elements including status bar,” he said. “Using an alert and redirect to Settings would completely solve the issue.”

It’s a simple solution that Krause — and others — have already suggested.
But Apple won’t budge, and its customers remain at risk.


Android security: This malware will mine cryptocurrency until your smartphone fails

March 29, 2018

Monero-mining Android malware will exhaust your phone in its quest for cash.

A new strain of Android malware will continuously use an infected device’s CPU to mine the Monero cryptocurrency until the device is exhausted or even breaks down.

Security company Trend Micro has named the malware HiddenMiner because of the techniques it uses to protect itself from discovery and removal.

Like most cryptocurrency-mining software, HiddenMiner uses the device’s CPU power to mine Monero.
But Trend Micro said that because there is no switch, controller, or optimizer in HiddenMiner’s code it will continuously mine Monero until the device’s resources are exhausted.

Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” the company said.

If the researchers’ concerns are correct, this is not the first cryptocurrency-mining malware to put your smartphone at risk: last year the Loapi Android malware worked a phone so hard that its battery swelled up and burst open the device’s back cover, wrecking the handset within 48 hours.

Trend Micro said the two pieces of malware share similarities, noting that Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.

Researchers at the company identified the Monero mining pools and wallets connected to the malware, and spotted that one of its operators withdrew 26 XMR — around $5,360 — from one of the wallets.
This, they said, indicates a “rather active” campaign of using infected devices to mine cryptocurrency.

HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator.
It will persistently pop up until victims click the Activate button; once granted permission, HiddenMiner will start mining Monero in the background.

It also attempts to hide itself on infected devices, for example by emptying the app label and using a transparent icon after installation.
Once activated as device administrator, it will hide the app from the app launcher.
The malware will hide itself and automatically run with device administrator permission until the next device boot.
HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis.

It’s also hard to get rid of: users can’t uninstall an active system admin package until device administrator privileges are removed first.
But HiddenMiner locks the device’s screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.

Trend Micro said that HiddenMiner is found in third-party app marketplaces and is affecting users in India and China, but it won’t be a surprise if it spreads beyond these countries.

The emergence of this malware should reinforce the need for mobile security hygiene, said Trend Micro: download only from official app marketplaces; regularly update the device’s OS, and be careful about the permissions you grant to applications.