More browser extensions and apps caught spying on users

When does a pop-up blocker stop being a pop-up blocker and turn into something altogether different?

According to AdGuard researcher Andrey Meshkov, the answer might be when the pop-up blocking function appears to obscure an ulterior motive – spying on a user’s web traffic as a way of profiling them.

The object of suspicion was a family of 10 Android apps, browser extensions and an iOS app from Delaware-registered US outfit Big Star Labs which have been installed on at least 11 million devices.

After studying the traffic generated by three extensions – Chrome/Firefox adblockers Poper Blocker and Block Site, and Chrome mouse utility CrxMouse – Meshkov noticed something that looked odd:

An exact address of every page you visit is sent to a remote server.

This contradicts Google’s developer rules, something the adblockers’ privacy policies try to justify as being a normal part of their normal operation in which collected data was “anonymous”.

Except, as Meshkov points out, collecting the user’s entire browsing history seems both unnecessary for adblocking and would be likely to compromise a user’s anonymity pretty quickly anyway.

As Meshkov points out:

There are numerous ways of discovering your real identity from observing your browsing history.

The fact Big Star Labs publishes its privacy policy as an image rather than a text document (potentially making it harder for researchers to find) only reinforced his suspicions about the apps.

Bizarrely, the same image tactic had been employed for all documents mentioning the company’s name, which makes searching for it on Google come up blank.

Things weren’t much better for Big Star Labs’ mobile apps. The iOS adblocker, AdblockPrime, offered to install a Mobile Device Management (MDM) profile capable of installing third-party apps, analysing the device’s installed apps, and viewing its browsing history.

All of the Android apps requested access to Accessibility Services, a powerful API that, Meshkov said, can be used to “extract page URLs right from the browser’s address bar,” which is probably why Google has attempted to crack down on its use.

The researcher compares what these apps are collectively doing to the Chrome and Firefox Stylish extension whose unappealing behaviour app researcher Robert Heaton exposed earlier this month.

Not long after that report, Stylish started returning a 404 error, a sign that Google and Mozilla had decided to intervene – a fate that seems to have befallen Big Star Labs’ apps too since Meshkov published his analysis.

Naked Security reports regularly on apps and extensions that seem to have a double purpose. So who’s to blame for the situation?

It could be argued that its down to companies such as Google and Mozilla which allow these apps and extensions to be let loose on real users.

It doesn’t exactly help that publishers are able to game the system with ambiguous and sometimes downright misleading privacy policies.

Does anyone read these documents? Some developers hope not, but just in case feel able to wheel out vague descriptions of the data they are collecting to confuse people.

Perhaps GDPR will clean up some of this. Not before time, Google last year purged its Play store of software lacking a policy – we’ll call that a start.