- Longman Contemporary English (v. 1.81) - com.flexidict.data.longmancontemporary, currently removed from the Play Store
- Cambridge American Idiom (v. 1.81) - com.flexidict.data2.cambridgeamericanidioms – currently removed from the Play Store.
- OLJ (v. 1.1) - reads contact names and contacts’ email addresses and send them to a remote server.
- 3D Badminton II (v. 2.026) - reads contacts’ emails and sends them to a server in Hong Kong.
Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs / IMEI. This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report.
About 14.58% of the Android applications may leak your Device ID and 5.73% of the total number of apps may leak your e-mail. Again, iOS applications appear to be more focused on harvesting private data than those designed for Android. Following the security incidents in 2012, when the Blue Toad advertising agency leaked one million UDIDs, Apple decided to deprecate the UDID API.
Android applications that leak the e-mail address:
- Logo Quiz Car Choices (v. 18.104.22.168) – car.logo.quiz.game.free – between 100,000 and 500,000 installations
- Blowing sexy girl’s skirt (v. 1.6.0) – yong.app.blowskirt – between 100,000 and 500,000 installations.
- Football Games - Soccer Juggle (v. 1.4.2) – com.madelephantstudios.BallTapp – between 100,000 and 500,000 installations
- Logo Quiz NFL NHL MLB NBA MLS (v. 22.214.171.124) – com.fesdra.logoquiz.ussport – between 100,000 and 500,000 installations.
- Ringtone Maker (v. 1.7)- sends device id to "adfonic.net"
- Paradise Island: Exotic (v. 1.3.14) - sends device id to third-party websites (to "offer.17bullets.com", "islandexotic.17bullets.com", "ma.mkhoj.com", "1.trace.multiclick.ru", "a.jumptap.com", "soma.smaato.com").
Phone numbers are the link between a user’s physical identity and virtual persona. It allows an aggregating party to correlate information about the user’s behavior in applications (what content they are interested in, what applications they have installed and so on, and possibly link this information to an existing person, represented by a name and surname. 8.82% of the applications analyzed by Clueful for Android might leak the device’s phone number to third-party advertisers. Applications integrating the AirPush and (in some circumstances) LeadBolt frameworks allow the developer to collect, encrypt and send the device’s phone number. In some countries, carriers block this behavior to safeguard the user’s data.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.