These free Android, iOS apps are secretly spying on users' phones

At least 20 apps marketed as VPN, ad blocking, and Wi-Fi boosting apps with 35 million downloads are secretly spying on users' phones

As many as 20 ad-blocking and virtual private network (VPN) apps owned by analytics firm Sensor Tower have been secretly spying on users' phones, according to a BuzzFeed News investigation.

Sensor Tower owns more than 20 Android and iOS apps that are billed as ad blockers, Wi-Fi signal boosters and VPNs (which are used to mask one's IP address and protect users' privacy by re-routing internet traffic to and from a device through an encrypted channel).

Apps marketed as ad blockers, VPNs, Wi-Fi boosters

Once installed on to the device, the apps prompt the user to install a root certificate via a third-party website, a small file that lets its issuer access all traffic and data passing through the phone. This allows it to bypass the Apple App Store and Google Play Store's security restrictions, as reported by BuzzFeed News.

Luna VPN, for example, shows a notification that offers the ability to block ads on YouTube if a user adds the Adblock extension, another SensorTower product. This kick-starts a process that results in a root certificate installation.

Luna VPN
Luna VPN on Google's Play Store. Luna VPN

Sensor Tower's apps are used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps. The apps "don't disclose their connection to the company or reveal that they feed user data to Sensor Tower's products," BuzzFeed noted.

Which apps are owned by Sensor Tower?

All 20 or so apps owned by Sensor Tower have crossed 35 million downloads on the Apple and Google app marketplaces. The full list of apps has been tweeted by BuzzFeed News' Media Editor Craig Silverman.

Four of these apps were recently available on the Play Store namely Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. The Adblock Focus and Luna VPN apps were also available on the App Store. While some of the apps were removed from app stores for violating security guidelines, Apple and Google removed more after BuzzFeed reached out to them and is currently investigating others.

Sensor Tower head of mobile insights Randy Nelson told BuzzFeed that they "take the app stores' guidelines very seriously and make a concerted effort to comply with them, along with any changes to these rules that occur from time to time."

"Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user's device, including web browsers," he added.