Measurement Systems paid developers around the world to incorporate its code – known as a software development kit, or SDK – into their apps, developers said. Its presence allowed the Panamanian company to surreptitiously collect data from their users, according to Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary.
Modern apps often include SDKs written by little-known companies like Measurement Systems "that aren’t audited or well understood," Mr. Egelman said. Inserting them is often enticing for app developers, who get a stream of income as well as detailed data about their user base.
"This saga continues to underscore the importance of not accepting candy from strangers," Mr. Egelman said.
The two men – who also co-founded a company called AppCensus that examines the security and privacy of mobile apps – consider the software to be the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps. It can "without a doubt be described as malware," Mr. Egelman said.
He and Mr. Reardon documented their findings on the Measurement Systems code in a report published Wednesday that was shared with the Journal and was earlier provided to the Federal Trade Commission. They also shared their findings in March with Google, which initiated an investigation resulting in the ban. "FTC investigations are nonpublic, we cannot comment on whether we are investigating a particular matter," an FTC spokeswoman said.
The apps containing Measurement Systems software were removed from the Google Play Store as of March 25, according to Scott Westover, a Google spokesman, for collecting users’ data outside the rules that Google has established. Mr. Westover said the apps could be relisted if the software was removed. Some are already back in the App Store.