The data collection is not limited to Facebook but also targets browsing history, including all the regular and sponsored Facebook posts, tweets, YouTube videos, and ads.
Facebook is undoubtedly the number one social media website in the world and home to personal data of over 2.19 billion users worldwide – That makes it a lucrative target for malicious hackers, cybercriminals, state-sponsored agencies and most importantly advertisers.
After the Cambridge Analytica scandal, Facebook vowed to limit data collection for third-party advertisers but it is evident that these advertisers always find ways to collect user data. In a recent campaign, a third-party advertiser (who has been named later in the article) has been found not only collecting data from Facebook users but also their browser history and location-related information.
The campaign was exposed by Andrey Meshkov, Co-founder of Adguard, who dubbed it as a “huge spyware campaign.” According to Meshkov, the campaign is currently being utilized to steal data through popular Chrome extensions and Android apps used by millions of users worldwide.
It must be noted that the campaign is not limited to Facebook data but also collects browsing history, including all the regular and sponsored Facebook posts, tweets, YouTube videos, and ads.
List of Chrome extensions collecting & sharing user data
According to AdGuard’s findings, currently, there are four Chrome extensions (there could be more) collecting user data and sharing it with a third-party advertiser who sells the data further to other parties for revenue. Unfortunately, each extension has been installed on thousands of browsers such as:
Video Downloader For Facebook extension has been installed by over 170,000 users. A look at its reviews shows the extension indeed downloads Facebook videos but what users are not aware of the fact is that it constantly snoops on their online activities, collects and shares their personal data.
Album & Photo Manager For Facebook extension has been installed on over 91,000 people. Its developers claim to provide an authentic Facebook album manager service, however, a look at its review section reveals the extension actually does nothing other than collecting user data and sharing it with a third party.
Pixcam – Webcam Effects extension has over 26,000 installs and claims to be a “webcam effects application, which allows users to make photo effects and filtering easy.” A look at its review section shows the extension does not work for the majority of users which indicates that its sole purpose is to collect user data from their browser activity and share with a third party.
According to Meshkov, these spyware extensions work in such a way that once a user is logged into their Facebook account, they scrape all their data immediately after the browser startup. Furthermore, these extensions attempt to collect user purchase history including credit or debit card related activity – This itself is enough evidence for Google to remove these extensions from Chrome store.
Once the collection is complete the spyware sends the data to an Amazon web service (AWS) S3 bucket in a hashed form while the location data is sent in plain-text format. This location data includes Facebook user’s IP address, mobile device location, city, state, and country.
Here is a list of Android apps collecting Facebook user data and sharing advertisers:
List of Android apps collecting & sharing user data
The data collecting saga does not end here. In fact, it continues and in the second phase, highly popular Android apps on Google Play store are collecting the same user data as discussed in case of Chrome extensions. In this case, the third-party advertiser with whom the data is being shared is also the same.
Currently, there are two Android apps (there could be more) with millions of installs are collecting user data such as:
“Scanning these developer apps’ traffic confirmed that “Fast-Social App” transfers pretty much the same data as the Chrome extensions do and to the same servers,” noted Meshkov.
Israeli connection and how exactly data is being collected
The whole campaign is a bit tricky since there are no attackers involved neither does it require hacking of user device. In fact, all the aforementioned Chrome extensions and Android application have been sharing data with the third-party Israeli firm, Unimania.
“What Information We Collect and How We Collect It. In general, the Information we collect includes nonpersonally identifiable demographic and psychographic data as well as sponsored campaigns, advertisements or posts that target you directly or that have been shared with you,” says Unimania.
Simply put: AdGuard’s research exposes a campaign in which Android apps and Chrome extensions are stealing users’ Facebook data and spying on their social network browsing history. It further collects user interests and demographics and location-related data.
In total there are 400,000 Chrome users affected by this campaign while personal data of 11,000,000 Android users are currently being sold through two apps.
Remember, Adguard is the same firm who previously exposed over 20 million fake malicious Ad Blocker extensions being used by millions of people around the world. Adguard’s findings were acknowledged by Google Chrome’s security team and all fake Adblocker extensions were removed from Chrome store.
Google has removed both Fast – Social App and Fast Lite – Social App + Twitter from Play Store after Adguard and HackRead’s reports went public. However, all Chrome extensions are still available on Chrome Web Store.