Google has removed more than a dozen apps from its Play Store after learning they contained malicious code which was harvesting people’s locations, phone numbers, and email addresses.
These include a QR code scanner, a weather app, and Muslim prayer apps.
Some of the apps had been downloaded more than 10 million times.
“All apps on Google Play must comply with our policies, regardless of developer,” a Google spokesperson told the BBC.
“When we determine an app violates these policies, we take appropriate action.”
Google had previously warned app developers they needed to be clear with users about the information they share.
In December 2021, it said apps which fail to comply with its data policy faced being banned from the Play Store after Huq, a British firm which collects location data, admitted to the BBC at least two app partners had not sought the correct user permissions.
According to the researchers who discovered the problem, the apps contained a software development kit (SDK) which sent private information to a third party.
It was outlined in a report published by researchers Joel Reardon, from the University of Calgary, and Serge Egelman, from the University of California, Berkeley.
Once such app was a QR code and barcode scanner which had been downloaded more than five million times – the type of thing you would download to use once or twice and then forget about.
The app was secretly sending users’ sensitive data, including their phone’s unique IMEI identification number, to a company based in Panama named Measurement Systems, and traced back to a company in Virginia, US, called Vostrom Holdings.
The Wall Street Journal reported a link between this company and the US government through yet another firm called Packet Forensics.
Apps banned for the prohibited harvesting of user data can apply for reinstatement in the Google Play Store if the offending code is removed, the Google spokesperson added.
The majority of the offending apps are now available for download again, if they no longer include the SDK.