It's not actually quite this stylish when your personal data is unwittingly siphoned from your phone.
Enlarge / It’s not actually quite this stylish when your personal data is unwittingly siphoned from your phone.
PM Images | Getty Images

reader comments

47

Generally, if someone is installing a VPN or ad-blocker on their mobile phone, they’re doing it to increase their privacy. But several apps distributed by an analytics firm that hid its connection to them have been doing the exact opposite, instead siphoning data from millions of users, a new report finds.

BuzzFeed News reports that the apps come from Sensor Tower, a firm that bills itself as “the leading provider of market intelligence and insights for the global app economy.” The company analyzes app use across platforms to, for example, list the top-grossing applications across platforms in a given month. (Spoiler: It’s apparently always Tinder.)

Further Reading

Facebook violates Apple’s data-gathering rules, pulls VPN from App Store

Sensor Tower, founded in 2013, has published at least 20 Android and iOS apps of its own in the past five years, such as Luna VPN and Adblock Focus. BuzzFeed found that several of these apps, sometime after installation, prompt users to install a root certificate in order to access features. For example, Luna VPN gives users a prompt to add an extension for blocking ads in YouTube. Following-through takes users to an external website to download and install the certificate, thus doing an end run around Google and Apple restrictions.

Many users do not necessarily realize the implications of granting any company that level of access to their device, an analyst with Malwarebytes pointed out to BuzzFeed, particularly when the request is part of app use after the installation stage.

Sensor Tower also conceals its connection to the apps in public. Luna VPN, for example, is listed on the Google Play Store as distributed by Emban Networks (which has no other apps listed). Similarly, Adblock Focus is apparently the one and only product distributed by Orbital Software, Inc.

Sensor Tower told BuzzFeed it only collects anonymized usage and analytics data, which it then integrates into the “intelligence” products that it sells to developers, investors, and other entities. The company also claimed not to collect sensitive data or personally identifiable information from users. Given how easily researchers have been able to identify users from theoretically anonymized data time and time again in the past decade, though, one may wonder how well that claim holds up.

Further Reading

Avast shutters data-selling subsidiary amid user outrage

Most of the company’s apps are no longer available on either the iOS App Store or the Google Play Store. Sensor Tower told BuzzFeed it was “in the process of sunsetting.” An Apple spokesperson, however, told BuzzFeed that a dozen of the company’s apps were previously removed from the iOS App Store for policy violations. After being contacted by BuzzFeed, Apple pulled Adblock Focus and said it was investigating Luna VPN.

Google also removed a Sensor Tower app, Mobile Data, from its online storefront after being contacted by BuzzFeed and said it was investigating the others.