Facebook and Twitter are both warning users about a number of mobile apps that were secretly collecting people’s personal information from their social media profiles.
The apps were loaded with malicious software development kits (SDK) that pulled details such as email address, names, and people’s genders from their Facebook and Twitter accounts. The same SDKs were also theoretically capable of taking over a user’s Twitter account.
Allegedly, the suppliers of the malicious SDKs were OneAudience and MobiBurn, which promise to help app makers rake in revenue. According to Facebook, the two companies were paying developers to use their SDKs “in a number of apps available in popular app stores.”
“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn,” Facebook said in a statement. “We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender.”
Oddly, Facebook declined to publicize which mobile apps were loaded with the malicious SDK. The company’s statement also suggests the bug didn’t collect users’ personal data as much as handed it off to third parties, a practice Facebook has been trying to crack down on since the Cambridge Analytica scandal.
However, Twitter told PCMag the problematic computer code was found in at least two Android apps called Giant Square and Photofy, which specialize in photo editing.
We recently received a report of a malicious software development kit available through third-party app stores that may have put some people who use Twitter for Android at risk. To keep your account safe, we would encourage you to read this post: https://t.co/zU0tYsGuZ2
— Twitter Support (@TwitterSupport) November 25, 2019
“We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS,” the company wrote in a blog post.
The company declined to specify the exact number of users ensnared in the data collection. But Twitter told PCMag it was a “small group of people,” who were both using the affected apps and also logged in via Twitter.
“We will be directly notifying people who use Twitter for Android who may have been impacted by this issue,” the company added in its blog post. “There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately.”
Although both Facebook and Twitter are using the word “malicious” to describe the SDKs, the data collection (sadly) sounds pretty standard in today’s digital world. Marketing companies are consistently coming up with ways to vacuum up users’ personal information in an effort to target users with ads, but then burying the details in privacy policies.
OneAudience and MobiBurn did not immediately respond to a request for comment. However, MobiBurn says on its website that the company discontinued its SDK this month. The business itself was focused on collecting data and delivering it to MobiBurn’s marketing partners.
OneAudience also appears to have pulled the plug on its SDK, which was designed to help app makers discover demographic information about their users. This included collecting data on users’ “interests, lifestyle, [and] purchase intent.”
Both Facebook and Twitter say they learned of the unwarranted data collection based on a tip from unnamed security researchers. “We have informed Google and Apple about the malicious SDK so they can take further action if needed,” Twitter added.