People often use ad blockers, disk-cleaners, and similar utilities to stop online trackers from monitoring their online activities. Now, researchers have uncovered a host of apps and browser extensions downloaded more than 11 million times that keep a list of every website ever visited and send it to servers operated by the developers.
The snooping wares affect both Android and iOS users, as well as those who installed Google Chrome and Mozilla Firefox extensions, according to a blog post published Tuesday by AdGuard, a developer of ad blockers and privacy tools. AdGuard cofounder Andrey Meshkov said in the post that the extensions and apps make a list of every exact address of every page visited and combine it with a unique identifier he believes is generated when the extension or app is first installed.
“There are numerous ways of discovering your real identity from observing your browsing history,” Meshkov wrote. “It can be straightforward, for instance, there is no ambiguity in who can visit this page: https://analytics.twitter.com/user/ay_meshkov/tweets. Even if you do not happen to visit such pages, there is still a high chance of exposing your real identity.”
The post identifies the following wares:
An ad blocker for iOS. It’s hard to estimate the users count as it is not distributed via the App Store.
Meshkov told Ars that he believes all of the wares were acquired by a company calling itself Big Star Labs. He said all of the Android apps link to privacy policies similar to this one, which mentions Big Star Labs by name. The privacy policies are especially opaque because they appear in images rather than text that can be more easily indexed by search engines. Earlier versions of some of the apps contain no tracking code. Later versions of the same apps, by contrast, contain heavily obfuscated code that sends complete browsing histories. Meshkov said his research showed that Big Star Labs was incorporated in 2017. Attempts to contact company representatives weren’t successful, and no one responded to emails sent to the addresses included in the privacy policies.
A search by Ars showed that none of the offending Android apps or Chrome extensions were available in Play or the Chrome Web Store. Meshkov, however, said on Wednesday that his searches showed that the Block Site Android app was still available in Play. Both the Block Site and Poper Blocker Firefox extensions were also no longer available from Mozilla. Interestingly, the AdblockPrime extension targeting iOS users could be installed directly from adblockprime[dot]co when people visited using Safari. There’s no indication it was ever available in Apple’s App Store.
Over the past year, a variety of apps and extensions, mostly available in Google Play and the Chrome Web Store, have been caught stealing login credentials, injecting malicious ads, and pushing nation-state-style surveillance functions. Stylish, a Chrome, Firefox, and Opera extension with more than 2 million downloads, was pulled earlier this month when researchers found that it, too, tracked every site users visited.
Tuesday’s post is the latest example of how widely used extensions and apps can often severely compromise user privacy. People should think long and hard before installing them and then only after researching the developers listed in the privacy policies.