Cyber security specialist ExpressVPN has sifted through 450 apps. All without exception contain location trackers that share your data. Especially apps that want to deceive your vigilance by taking the form of popular services.
Know who you are, where you are and what you are doing there. This is a wealth of information that is being traded today at a high price, and not always with your consent. Because to get rid of this data, the applications are (almost) ready for any subterfuge. The simplest used? The built-in tracker that tracks you all the time, even in apps where you least expect it.
Launched last October, ExpressVPN’s Digital Security Lab made its first report on a first burst of applications analyzed to detect possible threats. A report prepared jointly with the Defensive Lab Agency. And the least we can say is that the report has something to be dense: in total, 450 applications were screened for a total of over 1.7 billion downloads worldwide. And all of them contain questionable trackers of all kinds.
187 million downloads of deceptive apps
In the lot, the researchers mainly identified 42 messaging apps, downloaded more than 187 million times, which embed location trackers. But above all, many of them impersonate popular services like Facebook Messenger, WeChat or Telegram by using their design, or even their name and logo to deceive users.
Some of the companies spotted collecting location data through messaging apps include Predicio and X-Mode. The first, a French company, has been involved in several scandals around private data in the past. ExpressVPN found traces of its trackers in 27 of the 450 applications studied. But that’s nothing compared to X-Mode, a data broker that resells its base. It appears in 199 apps, for over a billion downloads. X-Mode SDK trackers and solutions found in 10 religious and cultural apps.
An unexpected situation since both Apple and Google asked their developers at the end of 2020 to no longer use X-Mode, which was withdrawn from the stores and tools available. But, ExpressVPN notes, only 10% of apps have been removed from the Google Play Store.
Another company blacklisted and even sued by Facebook for breach of privacy, OneAudience. However, ExpressVPN found referrals in 167 apps analyzed (37%).
Information shared with judicial and military organizations
Dating apps are another area where researchers have spotted the most trackers tracking specific users. ” One of the most surprising things about our observations is the number of social media and dating apps that target different types of demographic groups. Whatever your background, your sexual or dating preferences, there is an application ready to spy on you ”, says Sean O’Brien, cybersecurity researcher at ExpressVPN.
Applications targeting national, ethnic and racial groups, notably Muslims, are particularly active in tracking users. “Dating and social apps targeting a range of sexual orientations and dating preferences constitute 64 of the 450 apps we analyzed, with at least 52 million downloads, ”says Sean O’Brien who adds that data sharing with the companies behind these location trackers has been constant. And some of the information obtained was even shared with judicial, military or intelligence agencies.
Fidme, the loyalty card app that tracks you in store
In the long list of 450 apps studied, the popular application Fidme, a French company offering a service to store all types of loyalty cards and obtain vouchers, contains 12 different trackers including one for profiling and another for tracking. In particular, this will allow you to know which store you are in and thus establish your buyer “profile”. It has been downloaded over a million times.
L’app France TV : direct & replay is also interested in your position. Which may seem unnecessary given the use of the application. It is on this point that the researchers alert, recommending to always say no when an app asks you for your location when this has no effect on the use.
To date, the Digital Security Lab explains that 305 apps are still available with their trackers in both stores, despite in particular Apple’s new policy which requires its developers to be transparent about the use of data and trackers.