Report: Researchers Identified 25 Clandestine Trackers In Popular Android Apps

Because of the way Google Play works, Android has a “bad app” problem. Google allows any developer to upload an app to the Play Store, regardless of if it works, how it looks, or whether or not it can harm users. Earlier this week Google was spotted covertly collecting cell tower location data of Android users, even when the user turned off location services. Companies such as Uber, UC Browser and even OnePlus have often come under the scanner for their data collection tactics.

Now we have some fresh news, Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times.

According to the report 25 trackers hidden inside popular Google Play apps such as Uber, Tinder, Skype, Twitter, Spotify, and Snapchat. Publication of this information is in the public interest, as it reveals clandestine surveillance software that is unknown to Android users at the time of app installation. These trackers vary in their features and purpose, but are primarily utilized for targeted advertising, behavioral analytics, and location tracking.

These 25 trackers are a sample of the 44 identified-to-date by security researchers at Exodus Privacy, a non-profit organization based in France. Their Web-based privacy auditing platform, also named Exodus, analyzes apps available via Google Play.

Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own. the app for digital music service Spotify, which embedded four trackers, including two from Google; ridesharing service Uber, with three trackers; and Skype, Lyft, Accuweather, and Microsoft Outlook.

Exodus scans apps for the signatures of known trackers and identifies Android operating system permissions. To coincide with Privacy Lab’s publication, the Exodus organization has made its app auditing platform available to the public at and is releasing the code as Free and Open-Source Software.

To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself. They also highlight how a large and varied set of firms are working to enable tracking.

According to the similar report, we have some response:

“I think people are used to the idea, whether they should be or not, that Lyft might be tracking them,” said Sean O’Brien, a visiting fellow at Yale Privacy Lab. “And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think that their data is being resold or at least redistributed through these other trackers.”

(A Spotify spokesperson wrote, “We take data security and privacy very seriously. Our goal is to give both our users and advertising partners a great experience while maintaining consumer trust.” An Uber spokesperson referred The Intercept to its published details on its use of cookies, which lists some of their third-party cookie providers but is not intended to be comprehensive. Users who visit the privacy policy section of Uber’s website can follow an opt-out link which appears to only apply to interest-based advertising on web traffic. The preferences do not work if a user disables third party cookies, and users must opt out again after deleting their cookies.)

“The real question for the companies is, what is their motivation for having multiple trackers?” asked O’Brien.

Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. Anyway Google has recently taken steps to safeguard users with its Play Protect program, you don’t have to depend on them.

Android has several tools accessible to users which provide protection. By combining secure technology with good decision making, you can protect yourself from most malicious apps. You can also apply these skills to protect yourself from broken apps or ugly ones. Unfortunately, these tips will not eliminate the possibility of downloading a malware app, but they’ll significantly reduce the threat.

To Top