Google Removes Popular Children's Android Apps for Stealing User Data

The apps which were targeted to children bundled Android ID and Android Advertising ID to track users' activity, violating Google's policy

Despite security improvements, Google's Play Store continues to be plagued with malicious apps. The fact that Google hosts close to 3 million apps on its platform makes the job even more difficult. As a result, a few malicious apps slip through the safety net. Such apps work as a backdoor for malware, collect data without proper authorization or just serve as adware.

In a recent report, International Digital Accountability Council (IDAC), a non-profit digital watchdog, found that three apps designed for children — Princess Salon, Number Coloring and Cats & Cosplay — with a combined download of over 20 million were collecting data that was in breach of Google's privacy policy. Google swiftly took action and removed them from the Play Store.

"The practices we observed in our research raised serious concerns about data practices within these apps. We applaud Google for taking steps to enforce on these apps and the third-party data practices within these apps," Quentin Palfrey, IDAC's president said.

android exploit
Three popular android apps for children were collecting user data that was in violation of Google's Play Store policy Pixabay

Breach of Privacy

The apps, however, were not developed with malicious intent. The code the developers used was legitimate and did not violate Play Store rules. However, the third-party frameworks the apps were developed on were problematic. Unity, Umeng and Appodeal SDKs were designed to collect Android ID and Android Advertising IDs for app monetization and analytics.

Android Advertising ID (AAID) is a unique identifier that advertisers use to track consumer behavior. It is used for aggregating user's data, meaning it shows a user's preference. Advertisers need to contact the platform to show an ad to a user.

However, AAID can be reset, erasing the past behavior. But in the case of the SDKs, they bridged the AAID with Android ID, which is another unique identifier that cannot be reset. By bridging the two, developers can essentially track users' entire data including geolocation and even resetting doesn't help.

"If AAID information is transmitted in tandem with a persistent identifier [such as Android ID] it's possible for the protection measures that Google puts in place for privacy protection to be bridged," Palfrey told TechCrunch.

Libii Tech
Three apps from Libii Tech and Creative APPS were developed on third-party SDKs that were culprit for collecting data Libii Tech/ Google

Serious Threat

Albeit, the developers of the three apps — Creative APPS and Libii Tech — allowed its apps that were targeted to children to collect data. While it is not known what kind of data it collected, since the privacy breach in question was regarding children, it creates a serious threat. However, the apps can still be downloaded from third-party app stores and are also available to download from their websites.

A Google spokesperson said that the company was still investigating and identifying such bad actors. However, this isn't the first time that Play Store has come under the scanner. Previously, it was reported that popular short video app TikTok bundled Android Advertising ID with devices' MAC ID to track user data between 2018 and 2019 despite Google banning the practice back in 2015. Even after TikTok stopped the practice in 2019, there were still apps on Play Store that continued to bundle AAID and MAC ID.

"For apps that wish to serve ads in kids and families apps, we ask them to use only ad SDKs that have self-certified compliance with kids/families policies. We also require that apps that solely target children not contain any APIs or SDKs that are not approved for use in child-directed services," Google said.

Related topics : Cybersecurity