Reserve your next Galaxy device here!

Dangerous Play Store apps are revealing personal data of Android users

Two Android apps from the same developer are revealing personal data belonging to some Android users.

0comments
By
Add as a preferred source on Google
Apps Google
Google Play Store app seen on Androd phone.
Some apps in the Google Play Store are dangerous. | Image by Image by PhoneArena
Inside the Google Play Store sits a large number of potentially dangerous apps. These are unlicensed and in some cases unsecured AI apps that are being promoted for editing and identity verification. What is dangerous about these apps is that they have exposed billions of personal records belonging to Android users. A report says that one particular app is a huge problem. That app, listed in the Google Play Store, is called "Video AI Art Generator & Maker."

Watch out for another app from the same developer called IDMerit


This app has been installed over 500,000 times, has 11,000 and, according to Forbes, it has leaked over 1.5 million user images, more than 385,000 videos, and millions of user generated AI files. The leak happened because a Google Cloud Storage bucket was misconfigured and this allowed anyone to access stored files, even those without authentication. Over 12 TB of media files belonging to users of the app were exposed via the bucket. We should note that the bucket stored and leaked 8.27 million media files as it collected every file since the app launched on June 13th, 2023.

Do apps that offer access to your personal data scare you?
5 Votes

The app does not appear in the PlayStore since Google has supposedly hidden it since reports came out about the app's issues with user's personal files and data.  But wait, this story gets even worse. An app called IDMerit from the same developer exposed information called "Know-your-customer (KYC) data." This is the personal and professional information that businesses and financial institutions are legally required to get from you to verify your identity and determine what kind of risk is involved in doing business with you.

This is the type of personal info IDMerit gave malicious attackers access to


Obviously, this kind of information contains plenty of your information that you would not want to see get into the wrong hands. The KYC data, along with personally identifiable information, was exposed. This data belonged to individuals in the U.S. and 25 other countries including Germany, France, China, and Brazil. As one report said, "The leaked details include a treasure trove of personally identifiable information." Such data included:

Recommended For You

  • Full names
  • Addresses
  • Post codes
  • Dates of birth
  • National IDs
  • Phone numbers
  • Genders
  • Email addresses
  • Telco metadata

If you don't believe that access to such personal information is dangerous, you probably haven't experienced what it's like to have your sensitive data and credentials stolen. All of the apps you use for your bank accounts, securities trading accounts, credit card accounts, and more have to be considered compromised. Much of the fault can be placed on developers of  these leaky AI apps, who use an oft-criticized technique called "hardcoding secrets." This practice leads to the embedding of sensitive info such as passwords and encryption keys right into the app's source code.

72% of Play Store apps researchers analyzed had this vulnerability


Cybernews found that 72% of the hundreds of Play Store apps analyzed by researchers had similar vulnerabilities One issue is that malicious bots crawling through public repositories like GitHub can compromise a hardcoded key in seconds. Studies have shown that when a developer accidentally includes a hardcoded key to a public GitHub repository, it is compromised in less than five seconds.

Google Play Protect scans billions of apps each day. | Image by PhoneArena - Dangerous Play Store apps are revealing personal data of Android users
Google Play Protect scans billions of apps each day. | Image by PhoneArena

The good news is that researchers say that Codeway, the developer of IDMerit and Video AI Art Generator & Maker (the two Play Store apps mentioned in this article) was able to secure access to the data for the IDMerit app on February 3rd.

How to avoid installing these apps


So what can you do to make sure that you don't end up having your personal information floating around the internet? One thing you can do is to check out the developer's portfolio of apps. If you see 50 similar looking titles, you might want to stay away from any app created by this developer since it indicates that this developer chooses quantity over quality. You should also look for Google's "Verified Developer" badge in the Play Store.

Watch out for apps that make your phone run hot and drain the battery even when the app is closed. Also, beware of apps that offer a lifetime Pro subscription for a low price (like $4.99, for example). You might want to have the apps on your phone scanned by Google's Play Protect. Open the Play Store and tap your Profile icon in the upper right corner. Select Play Protect > Scan.

Try Noble Mobile for only $10

Get unlimited talk, text, & data on the T-Mobile 5G Network plus earn cash back for data you don’t use.
Buy at Noble Moblie
Google News Follow
Follow us on Google News
https://m-cdn.phonearena.com/images/users/39-200/Alan-F.webp
Alan Friedman Senior News Writer
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.
Read the latest from Alan Friedman

Recommended For You

COMMENTS (0)

Latest Discussions

Dual Sim Whatsapp Iphone

by menooch18 • 1

Samsung S4 Mini Sealed/Unopened

by darkdrak88 • 4

Disassociated Phone - Unable to Login to T-Life

by glamothe • 4
Discover more from the community

Popular stories

Samsung Galaxy S26 Ultra reportedly only has two online exclusive color options
Samsung Galaxy S26 Ultra reportedly only has two online exclusive color options
The Galaxy S26 pricing saga is getting out of hand, and there's no one to blame but Samsung
The Galaxy S26 pricing saga is getting out of hand, and there's no one to blame but Samsung
Foldable iPhone display production timetable says it loud and clear: get your wallets ready
Foldable iPhone display production timetable says it loud and clear: get your wallets ready
You're not having a stroke, Google simply changed the Chrome for Android Home icon
You're not having a stroke, Google simply changed the Chrome for Android Home icon
Galaxy Z TriFold is proving to be a regretful purchase for some early adopters
Galaxy Z TriFold is proving to be a regretful purchase for some early adopters
Galaxy S26 Unpacked will mark the end of an era
Galaxy S26 Unpacked will mark the end of an era

Latest News

Dangerous Play Store apps are revealing personal data of Android users
Dangerous Play Store apps are revealing personal data of Android users
Samsung somehow made the Galaxy S26 Ultra look pretty cool despite the outdated design
Samsung somehow made the Galaxy S26 Ultra look pretty cool despite the outdated design
Galaxy S26 Ultra gets unboxed and compared with iPhone 17 Pro Max ahead of launch
Galaxy S26 Ultra gets unboxed and compared with iPhone 17 Pro Max ahead of launch
With up to $250 in savings, the Razr (2025) is your cheapest entry to the foldable lifestyle
With up to $250 in savings, the Razr (2025) is your cheapest entry to the foldable lifestyle
We didn't get the iPhone update we wanted, but these iOS 26.4 Beta 1 features shouldn't be sidelined
We didn't get the iPhone update we wanted, but these iOS 26.4 Beta 1 features shouldn't be sidelined
Apple in line for huge multi-billion refund after Supreme Court ruling
Apple in line for huge multi-billion refund after Supreme Court ruling
FCC OKs Cingular\'s purchase of AT&T Wireless