What We Can Learn from the Big Star Labs Spyware Incident

icon.png

Spider Guard Data Privacy News


What We Can Learn from the Big Star Labs Spyware Incident

One developer used its shady apps to mine data from millions, and most probably still don’t know it happened. Here’s how you can protect yourself and your business from the next spyware incident.

By Aaron Martin - 07 Aug 2018


11,000,000 app users.

That’s how many people Big Star Labs quietly scammed out of their personal data for over a year, all the while claiming its apps were protecting their privacy. To date, only speculation can say who has that data now and what’s being done with it. Was this an invasion of privacy? Certainly. But for businesses whose staff download questionable apps, the risk is much greater. Installing apps on a work device without vetting them first could mean a serious data breach. Read on to find out what happened and how you can protect your data from a similar attack.

The Incident

Big Star Labs used its privacy, advertisement blocker, battery saver, and fitness apps to intercept the browsing history, device info, and other personally identifiable information from all 11 million of its users. The developer didn’t ask for explicit consent to collect this data, and there’s evidence that they were deliberately deceptive about what data they collected and why.

The Risk

That depends on the app in question. Most of Big Star Labs’ apps collected full URLs while the user browsed the internet. These non-anonymized URLs can be used to identify that user, collect additional data from them, and/or be compiled into a profile for unauthorised sale to a third party. An app like this could collect sensitive or proprietary information. In extreme cases, if the user gives it access, the app can install other, more malicious apps without asking for permission.

Our Recommendations

If any of the apps listed below are on one of your devices, our data security team recommends you take the following steps:

  1. Immediately delete the app in question. If you don’t have access to that function (e.g. it’s a work device), notify your administrator so they can do it for you.

  2. If you have one, contact your data protection officer immediately so they can perform an analysis of the data that may have been leaked to unknown parties.

  3. In the event a personal device was affected, you should do a check to make sure none of the other apps installed on it are from unknown/questionable sources.

  4. If you are a citizen of the EU, submit a complaint to the supervisory authority in your country.

The Offending Apps

Android - 

  • Block Site - installed over 100,000 times

  • AppLock / Privacy Protector - installed over 500,000 times

  • Clean Droid - installed over 500,000 times

  • Speed BOOSTER - installed over 5,000,000 times

  • Battery Saver - installed over 1,000,000 times

  • Block Site - installed over 100,000 times

  • Mobile health club apps - unknown number affected

iOS - 

  • Adblock Prime - unknown number affected

Chrome Browser Extensions

  • Block Site for Chrome - over 1.4 million users affected

  • Block Site for Firefox Firefox - over 100,000 users affected

  • CrxMouse - over 400,000 users affected

  • Poper Blocker for Chrome - over 2,000,000 users affected

  • Poper Blocker for Firefox - 50,000 users affected


The Story

What if the app you thought was protecting your privacy or shielding you from annoying (or malicious) advertisements was actually mining your device for information without your permission?

That’s exactly what came to light last week when AdGuard, a reputable privacy app provider, discovered that Big Star Labs was exploiting its users under the guise of its privacy and utility apps. The fact that most of these programs are billed as privacy apps makes this intrusion all the more offensive. For example, any time someone using a device with the popular ‘Block Site’ Chrome extension visits a website, Block Site collects the full URL and sends it to an unknown remote server. Block Site claims to collect this information to help it detect which sites to block, but the reality is it’s collecting every website URL the user visits, not just those of sites that are potentially harmful. This is a classic phishing tactic - the purpose of the app is essentially the opposite of what Big Labs claims.

Even more disturbing, the Block Site app asks Android users to enable ‘Accessibility services’ on the device, which would allow the app to emulate the user’s taps, swipes, and other activities that only the user ought to be able to perform - essentially giving the app a disturbing amount of access to the user’s device. Big Star Labs’ Adblock Prime for iOS uses a similar tactic, but takes it a step further by enabling itself to install other apps on the Apple device without asking for permission.

The Trouble with All That Snooping

Big Star Labs skirts a fine legal line with its exploitative apps. The company has in fact bothered to draft privacy policies for its software, wherein it claims only to collect ‘non-personal’ information - allegedly just the user’s browsing history and IP address. This may seem legitimate to the layman, but Big Star’s claim is hard to argue for the simple reason that browsing history is not necessarily anonymous when it is paired with other collected data. AdGuard cited a recent finding that it is now possible for someone with the right algorithm to identify a user with high accuracy solely by correlating said user’s browser history to their social media presence (such as a Twitter account). Pair that information with the user’s IP address and you now have a personal identifier.

For the average consumer, this adds up to a very unpleasant invasion of their privacy. For an employer discovering that one of their staff had installed a Big Star Labs app on his or her work device, it could mean a data breach of unknown severity, especially if the data stolen related to a customer or client.

While there’s no evidence that Big Stars’ offending apps are targeting proprietary business data outright, this is just the sort of vulnerability that can open a company up to a data breach. It’s important to remember that whenever an employee authorises an app, it becomes capable of obtaining all manner of sensitive info. If that stolen data is a client’s, then the breach could have a direct negative impact on the business. To make matters worse the company could be held liable under a law like the GDPR for allowing the breach to happen. It’s incidents like these that have plagued even the mightiest and most trusted of data controllers (like Equifax and Yahoo), with serious negative impact to their images and market shares.

Speaking of GDPR, Big Star Labs is probably in breach of not one but TWO privacy laws: the EU’s General Data Protection Regulation (GDPR) and the more recent California Consumer Privacy Act (CCPA). Both laws require companies to give their data subjects rights to access, deletion, and portability of their data. Notably, the CCPA considers an IP address a personal identifier, which negates one of Big Star’s main claims.

The EU’s GDPR requires explicit consent for the use of the data a company collects (which Big Star Labs doesn’t ask for). It also requires that company to make clear what third parties it shares personal data with (Big Star doesn’t do that either). Big Star Labs also fails to provide a clear avenue for contacting them to request information about the data it’s collecting (another GDPR requirement). If an EU consumer was to take this company to task, they would have a strong case against them.

How You Can Prevent Shady App Devs from Mining Your Company’s Data

Needless to say, no one wants malicious or even mildly shady app developers prying into their valuable business data. Here are the steps our data protection team recommends you follow to prevent the next spyware incident from affecting you:

  • Define what devices/tools that your staff can use for work-related purposes and specify how they can be used. This allows app usage to be monitored and prevents staff them from jeopardizing the security measures your company has implemented.

  • Do the same as above for any and all personal devices (read: mobile phones!) that your staff use for work-related purposes.

  • In addition to the above, it goes without saying that staff training will go along way towards protecting everyone involved with your day-to-day business operations.

  • Classify your data and define/assign proper access management to all staff.

  • Apply monitoring of all relevant systems.

If the above steps seem overwhelming, the best advice we can give you is to ask for help. The realm of privacy and security is vast and systems are getting more complicated all the time. The right advice can save you a lot of trouble down the road.

Looking for More Info?

The worst time to start figuring out what you’re going to do in the event of a data breach is right after discovering you’ve suffered a data breach. That being said, not all businesses have the knowledge base to perform the necessary audits and assessments, implement effective security measures to keep company data secure, train staff, and so on. The laws are more strict than ever with regard to data security, individual rights to privacy to how their data (even employees) is handled, and what complicates the matter even more is that these laws sometimes overlap and may even contradict each other. In light of this, not all businesses have the budget or the desire to hire someone full-time to fill this vital role. If this sounds like you, then you may want to consider outsourcing your data security and compliance needs.

Spider Guard’s team of global data protection & privacy experts specialize in helping businesses find solutions that fit their unique needs. Our team of online privacy and data protection compliance specialists draw their knowledge from professional backgrounds ranging from the corporate financial sector to startup consulting to local and national government. We can help you ensure that the data that fuels your business is secure, private, and legally managed.

You can learn more about us, including our Privacy Consulting and Outsourced Data Protection Officer services, at https://www.spiderguard.io/. Or, you can contact us directly for a consultation by clicking on the 'Speak To An Expert' link below.

icon.png

Schedule a consultation with one of our privacy consultants.