News

Dangerous Play Store apps are revealing personal data of Android users

News Room
News Room
Dangerous Play Store apps are revealing personal data of Android users

Inside the Google Play Store sits a large number of potentially dangerous apps. These are unlicensed and in some cases unsecured AI apps that are being promoted for editing and identity verification. What is dangerous about these apps is that they have exposed billions of personal records belonging to Android users. A report says that one particular app is a huge problem. That app, listed in the Google Play Store, is called “Video AI Art Generator & Maker.”

Watch out for another app from the same developer called IDMerit

This app has been installed over 500,000 times, has 11,000 and, according to Forbes, it has leaked over 1.5 million user images, more than 385,000 videos, and millions of user generated AI files. The leak happened because a Google Cloud Storage bucket was misconfigured and this allowed anyone to access stored files, even those without authentication. Over 12 TB of media files belonging to users of the app were exposed via the bucket. We should note that the bucket stored and leaked 8.27 million media files as it collected every file since the app launched on June 13th, 2023.
The app does not appear in the PlayStore since Google has supposedly hidden it since reports came out about the app’s issues with user’s personal files and data.  But wait, this story gets even worse. An app called IDMerit from the same developer exposed information called “Know-your-customer (KYC) data.” This is the personal and professional information that businesses and financial institutions are legally required to get from you to verify your identity and determine what kind of risk is involved in doing business with you.

This is the type of personal info IDMerit gave malicious attackers access to

Obviously, this kind of information contains plenty of your information that you would not want to see get into the wrong hands. The KYC data, along with personally identifiable information, was exposed. This data belonged to individuals in the U.S. and 25 other countries including Germany, France, China, and Brazil. As one report said, “The leaked details include a treasure trove of personally identifiable information.” Such data included:

  • Full names
  • Addresses
  • Post codes
  • Dates of birth
  • National IDs
  • Phone numbers
  • Genders
  • Email addresses
  • Telco metadata

If you don’t believe that access to such personal information is dangerous, you probably haven’t experienced what it’s like to have your sensitive data and credentials stolen. All of the apps you use for your bank accounts, securities trading accounts, credit card accounts, and more have to be considered compromised. Much of the fault can be placed on developers of  these leaky AI apps, who use an oft-criticized technique called “hardcoding secrets.” This practice leads to the embedding of sensitive info such as passwords and encryption keys right into the app’s source code.

72% of Play Store apps researchers analyzed had this vulnerability

Cybernews found that 72% of the hundreds of Play Store apps analyzed by researchers had similar vulnerabilities One issue is that malicious bots crawling through public repositories like GitHub can compromise a hardcoded key in seconds. Studies have shown that when a developer accidentally includes a hardcoded key to a public GitHub repository, it is compromised in less than five seconds.

The good news is that researchers say that Codeway, the developer of IDMerit and Video AI Art Generator & Maker (the two Play Store apps mentioned in this article) was able to secure access to the data for the IDMerit app on February 3rd.

How to avoid installing these apps

So what can you do to make sure that you don’t end up having your personal information floating around the internet? One thing you can do is to check out the developer’s portfolio of apps. If you see 50 similar looking titles, you might want to stay away from any app created by this developer since it indicates that this developer chooses quantity over quality. You should also look for Google’s “Verified Developer” badge in the Play Store.

Watch out for apps that make your phone run hot and drain the battery even when the app is closed. Also, beware of apps that offer a lifetime Pro subscription for a low price (like $4.99, for example). You might want to have the apps on your phone scanned by Google’s Play Protect. Open the Play Store and tap your Profile icon in the upper right corner. Select Play Protect > Scan.

Try Noble Mobile for only $10

Get unlimited talk, text, & data on the T-Mobile 5G Network plus earn cash back for data you don’t use.


Buy at Noble Moblie

Read the latest from Alan Friedman

Share This Article
Previous Article 5 Phones With Batteries That Last Longer Than The Samsung Galaxy S25+ – BGR 5 Phones With Batteries That Last Longer Than The Samsung Galaxy S25+ – BGR
Next Article Reddit Is Quietly Becoming an AI Slopfest. Can Anyone Save It? Reddit Is Quietly Becoming an AI Slopfest. Can Anyone Save It?
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

28 Brands on TikTok to Inspire Your Feed |
28 Brands on TikTok to Inspire Your Feed |
Computing
Unfortunately, It’s Time to Talk About 6G. Here’s What You Need to Know
Unfortunately, It’s Time to Talk About 6G. Here’s What You Need to Know
News
Demand for the Unihertz Titan 2 Elite hits a very impressive level
Demand for the Unihertz Titan 2 Elite hits a very impressive level
News
Tencent celebrates first anniversary of Delta Force, a notable step for China-made FPS games · TechNode
Tencent celebrates first anniversary of Delta Force, a notable step for China-made FPS games · TechNode
Computing
Lost your password?