Some widely used VPN, ad-blocking, and utility apps on Android and iOS are secretly collecting user data, BuzzFeed News has learned [Apps such as "Luna VPN," "Adblock Focus," "Mobile Data," and "Free and Unlimited VPN" were all created by Sensor Tower, a San Francisco-based data analytics firm that, according to its website, allows app developers to "understand the mobile ecosystem to efficiently generate quality, high-value users and maximize the potential of mobile advertising"
Installing one of these apps on iOS or Android will allow the app to add a cryptographic root certificate and launch man-in-the-middle attacks on encrypted communications, according to BuzzFeed News Sensor tower apps would be able to read all or most of a cell phone's network traffic
"The typical user would just use the app and think, oh, I'm blocking ads, and not be very aware of how invasive this is," Armando Orozco, a threat analyst at Malwarebytes told BuzzFeed News
Apple has removed Adblock Focus from the App Store, but Luna VPN is still there As of this writing, the Android version of Adblock Focus was still in the Google Play Store, along with Luna VPN, Mobile Data, and Free and Unlimited VPN not mentioned
If you have any of these apps installed, you should obviously remove them Our general advice is not to use VPN mobile apps that offer completely free and unlimited service Because you have to make money in other ways, and the quickest way to do that is to collect and sell user behavior patterns As the old adage goes, if you are not the customer, you are the product
According to BuzzFeed News, Sensor Tower had created at least 20 smartphone apps that had at least 35 million downloads since 2015 An Apple spokesperson told BuzzFeed News that several other apps associated with Sensor Tower had previously been removed from the App Store, but did not name them
Perhaps surprisingly, the Sensor Tower rep confirmed the app's hidden capabilities, but insisted that all user data fed to Sensor Tower clients is aggregated and anonymized so that individual users cannot be identified
This may not be enough to keep apps in Google Play and Apple's App Store Installing a root certificate would likely violate the terms of service of both stores
Sensor Tower allegedly passed Apple and Google's app screener by not including a root certificate in the version of the app that users download from the stores Instead, users appear to have been tricked into installing the root certificate after installation
BuzzFeed News showed that a pop-up window in the iOS app Luna VPN offered to block YouTube ads, and when the user clicked "OK," the app installed a root certificate
None of the apps mention Sensor Tower in their Android or iOS app store descriptions; Luna VPN is developed by Emban Networks, Adblock Focus by Orbital Software, Inc and Mobile Data and Free and Unlimited VPN are listed as Gibli Mobile These were the only apps associated with each of these developers
Both Apple and Google require that all developers have a website that can link to their app listings, and all three of these companies presented bare bones websites, although some website names did not match those listed in the app stores
BuzzFeed News did not list any other apps created by Sensor Tower and could not determine whether the company has other apps in either the iOS or Android app stores However, the Adblock Focus and Luna VPN apps use many of the same images
In an interview with BuzzFeed News, Sensor Tower's Randy Nelson defended the company's decision to conceal its role in the creation and distribution of these apps
"It makes a lot of sense given the relationship between these types of apps and analytics companies," Nelson told BuzzFeed News
Comments