The Panamanian company that wrote the code, Measurement Systems S. de R.L., is linked through corporate records and web registrations to a Virginia defense contractor that does cyberintelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.
The code ran on millions of Android devices and has been found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app and a number of other popular consumer apps, according to two researchers who discovered the behavior of the code in the course of auditing work they do searching for vulnerabilities in Android apps. They shared their findings with Google, a unit of Alphabet Inc., federal privacy regulators and The Wall Street Journal.
Measurement Systems paid developers around the world to incorporate its code—known as a software development kit, or SDK—into their apps, developers said. Its presence allowed the Panamanian company to surreptitiously collect data from their users, according to Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary.
Modern apps often include SDKs written by little-known companies like Measurement Systems “that aren’t audited or well understood,” Mr. Egelman said. Inserting them is often enticing for app developers, who get a stream of income as well as detailed data about their user base.
“This saga continues to underscore the importance of not accepting candy from strangers,” Mr. Egelman said.
The two men—who also co-founded a company called AppCensus that examines the security and privacy of mobile apps—consider the software to be the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps. It can “without a doubt be described as malware,” Mr. Egelman said.
He and Mr. Reardon documented their findings on the Measurement Systems code in a report published Wednesday that was shared with the Journal and was earlier provided to the Federal Trade Commission. In the post, the two men detailed the list of apps where they found the code. They also shared their findings in March with Google, which initiated an investigation resulting in the ban. “FTC investigations are nonpublic, we cannot comment on whether we are investigating a particular matter,” an FTC spokeswoman said.
The apps containing Measurement Systems software were removed from the Google Play Store as of March 25, according to Scott Westover, a Google spokesman, for collecting users’ data outside the rules that Google has established. Mr. Westover said the apps could be relisted if the software was removed. Some are already back in the App Store.
Google’s action doesn’t impair Measurement System’s ability to collect data from the millions of phones around the world where its software is already installed. Messrs. Egelman and Reardon found that the SDK stopped collecting data on its users and unplugged itself shortly after the two men began circulating their findings.
Measurement Systems software ran inside more than a dozen apps—including numerous Muslim-themed prayer apps such as Al Moazin and Qibla Compass, according to Messrs. Egelman and Reardon. The Measurement Systems software kit was present on apps downloaded on at least 60 million mobile devices and likely many more, according to the two researchers. Google declined to say how many apps in total contained the software.
According to their findings, the software’s true reach could be much larger as it can spot the existence of other devices running on the same Wi-Fi network as one using an app that has the code, potentially providing a way to map social networks.
Parfield, the Egypt-based developer of Al Moazin and other religious-themed apps, said it was told Measurement Systems was collecting data on behalf of internet-service providers as well as financial-service and energy companies. The makers of Qibla didn’t respond to a request for comment.
Measurement Systems told app-makers it wanted data primarily from the Middle East, Central and Eastern Europe and Asia, according to documents reviewed by the Journal—an unusual request because U.S. and Western European data typically commands the highest prices among commercial brokers. Several developers said Measurement Systems required them to sign nondisclosure agreements.
The Measurement Systems SDK was in other popular Android consumer apps, including weather apps, QR code scanners and the highway-radar detection app. Pixalate, a third-party company that monitors app analytics, provided the Journal with data about the geographical distribution of users of apps running Measurement Systems. One weather app that the code was running inside was particularly popular in Iran.
The SDK was harvesting a large amount of data about each user—including precise location, personal identifiers such as email and phone numbers as well as data about nearby computers and mobile devices, Messrs. Reardon and Egelman found. While consumer-data brokers sometimes collect such data, they typically don’t include personalized identifiers such as email addresses and phone numbers, as that can run afoul of data-privacy laws.
The Measurement Systems SDK can also collect information that is stored in the phone’s clipboard—passwords, for example—whenever the cut-and-paste feature is used. And it has the ability to scan some parts of the phone’s file system, including specifically the files stored in the WhatsApp downloads folder, Messrs. Reardon and Egelman discovered. It couldn’t necessarily read the contents of the files but it could match them against known files using a technique called compare-by-hash.
WhatsApp is widely used across the world as an alternative to text messages but it encrypts messages as they cross the internet, protecting user’s privacy but often frustrating the ability of law enforcement and intelligence agencies to intercept content.
“A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals,” Mr. Reardon wrote in a blog post explaining their findings.
The Defense Department and other national-security entities have previously said they buy large amounts of data sourced from commercial providers but have declined to discuss specifics. “As part of their authorized activities, Department of Defense Components purchase publicly and commercially available data to inform analysis of foreign threats to national security,” a Pentagon spokesman said previously.
Measurement Systems’ internet domain was registered in 2013 by a U.S.-based company named Vostrom Holdings Inc., according to web domain records from as recently as last month. Those records now list measurementsys.com as being registered to a service that “protects the privacy of domain name holders.”
Vostrom does business with the federal government through a subsidiary, Packet Forensics LLC, according to corporate records. Measurement Systems S de R.L. also listed two holding companies as officers, both of which share a Sterling, Va., address with people affiliated with Vostrom, according to corporate records. In addition, one of those people controlled a U.S. LLC with the same name: Measurement Systems LLC, according to corporate ownership records. It was dissolved the same week the Journal sought comment from Vostrom and Packet Forensics.
Measurement Systems said in an email: “The allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors nor are we aware of…a company called Vostrom. We are also unclear about what Packet Forensics is or how it relates to our company.” Measurement Systems didn’t reply to questions about how their domain came to be registered by Vostrom.
Vostrom and its subsidiaries are affiliated with Rodney Joffe, a longtime cybersecurity consultant for the U.S. government, and are run by several of his protégés, according to corporate ownership records and a person familiar with the matter.
“Mr. Joffe has a minority ownership interest in Packet Forensics and serves as the nonexecutive chairman, but has had no operational role in the business for many years. Mr. Joffe has never had a financial interest in, or been engaged by, Vostrom Holdings,” said a spokeswoman for Mr. Joffe.
Mr. Joffe sources specialized data and capabilities for government entities, sometimes on classified programs, people familiar with his career say. He has figured prominently in a long-running controversy about the monitoring of web traffic at properties belonging to Donald Trump during the 2016 election.
As a growing percentage of information on the internet has become encrypted, governments have turned to software on mobile devices to collect information about people and the places they go. A robust market has emerged for collecting location data from phones, and government agencies have become major buyers of such data, the Journal has reported.
The data can include geolocation, prompting the growth of a multibillion-dollar location-analytics industry to understand the movements of people. Numerous technology executives whose companies don’t typically sell to the government have also described being approached by U.S. intelligence agencies and asked to voluntarily provide user data in bulk about their users, or to run warrantless queries of their data for law enforcement.
Measurement Systems offers to pay developers to include its software code in their mobile apps, saying the code collects “non-personal information about app users.”
In documents reviewed by the Journal, it told developers they could earn anywhere from $100 to $10,000—or more—a month depending on how many active users it could deliver. The company was particularly interested in users who had enabled the app to access a user’s location, the documents showed, but it emphasized that it didn’t need for such permissions to be enabled to collect data.
Â