Dangerous Play Store apps are revealing personal data of Android users

This app has been installed over 500,000 times, has 11,000 and, according to Forbes, it has leaked over 1.5 million user images, more than 385,000 videos, and millions of user generated AI files. The leak happened because a Google Cloud Storage bucket was misconfigured and this allowed anyone to access stored files, even those without authentication. Over 12 TB of media files belonging to users of the app were exposed via the bucket. We should note that the bucket stored and leaked 8.27 million media files as it collected every file since the app launched on June 13th, 2023.

The app does not appear in the PlayStore since Google has supposedly hidden it since reports came out about the app’s issues with user’s personal files and data.  But wait, this story gets even worse. An app called IDMerit from the same developer exposed information called “Know-your-customer (KYC) data.” This is the personal and professional information that businesses and financial institutions are legally required to get from you to verify your identity and determine what kind of risk is involved in doing business with you.

Obviously, this kind of information contains plenty of your information that you would not want to see get into the wrong hands. The KYC data, along with personally identifiable information, was exposed. This data belonged to individuals in the U.S. and 25 other countries including Germany, France, China, and Brazil. As one report said, “The leaked details include a treasure trove of personally identifiable information.” Such data included:

• Full names
• Addresses
• Post codes
• Dates of birth
• National IDs
• Phone numbers
• Genders
• Email addresses
• Telco metadata

If you don’t believe that access to such personal information is dangerous, you probably haven’t experienced what it’s like to have your sensitive data and credentials stolen. All of the apps you use for your bank accounts, securities trading accounts, credit card accounts, and more have to be considered compromised. Much of the fault can be placed on developers of  these leaky AI apps, who use an oft-criticized technique called “hardcoding secrets.” This practice leads to the embedding of sensitive info such as passwords and encryption keys right into the app’s source code.

72% of Play Store apps researchers analyzed had this vulnerability

Cybernews found that 72% of the hundreds of Play Store apps analyzed by researchers had similar vulnerabilities One issue is that malicious bots crawling through public repositories like GitHub can compromise a hardcoded key in seconds. Studies have shown that when a developer accidentally includes a hardcoded key to a public GitHub repository, it is compromised in less than five seconds.

How to avoid installing these apps

So what can you do to make sure that you don’t end up having your personal information floating around the internet? One thing you can do is to check out the developer’s portfolio of apps. If you see 50 similar looking titles, you might want to stay away from any app created by this developer since it indicates that this developer chooses quantity over quality. You should also look for Google’s “Verified Developer” badge in the Play Store.

Watch out for apps that make your phone run hot and drain the battery even when the app is closed. Also, beware of apps that offer a lifetime Pro subscription for a low price (like $4.99, for example). You might want to have the apps on your phone scanned by Google’s Play Protect. Open the Play Store and tap your Profile icon in the upper right corner. Select Play Protect > Scan.