A team of security researchers led by Sean O’Brien, founder of Yale Privacy Lab and Principal Researcher at ExpressVPN, has taken a deep look at many mobile apps trying to determine what percentage is carrying user-privacy-defying trackers. More specifically, the Tectonic X-Mode tracker that has been used and abused by private entities and government agencies alike, and which is currently banned by Google and Apple.
According to the ExpressVPN report, trackers are present in at least 450 applications that have a total download count of 1.7 billion. Of the identified apps, 305 remain available at this time, and 42 of them are messaging platforms that masquerade as popular services (WeChat, Telegram, Facebook Messenger). Other categories where trackers are present include dating and social media apps (64 of the 450), Muslim prayer apps, and cultural apps.
X-Mode is present in 199 apps that have been downloaded a billion times. Although the tracker is officially banned, only 10% of the identified apps have been ousted from the Play Store, so 179 of these apps are available in the official Android app store.
Of course, that’s not to say that Google is knowingly keeping those apps on the store, but probably a result of obfuscation and the need to analyze the app’s code to figure out the presence of trackers and the correlation between SDKs.
The researchers laid out the various SDKs found in the apps to connect the trackers and their beacon buddies and found several partner tools, as shown in the diagram below. Some of the names mentioned have already been condemned in American courts for user data scraping, sued by their former partners for privacy violations, and banned from social media platforms for breaking policy rules.
Perhaps the most prominent carrier of X-Mode, Quadrant, is present in several Muslim and weather forecast apps used by the American audience. The researchers found it in 64 of the 450 apps of the analyzed set, corresponding to at least 52 million devices.
In December 2020, Quadrant tracked approximately 41 million active users per day and 136 million active users in the United States alone. The snooper found on the chat apps was the one from Predicio, having about 60 million downloads in total.