Google Play caught hosting an app that steals users’ cryptocurrency

“Clipper” app replaced user’s wallet address with addresses controlled by developers.

Enlarge (credit: Yu Chun Christopher Wong/S3studio/Getty Images)

Google Play has been caught hosting yet another malicious app, this time one that was designed to steal cryptocurrency from unwitting end users, researchers said Friday.

The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers, a researcher with Eset said in a blog post. As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers.

So-called clipper malware has targeted Windows users since at least 2017. Last year, a botnet known as Satori was updated to infect coin-mining computers with malware that similarly changed wallet addresses. Last August came word of Android-based clipper malware that was distributed in third-party marketplaces.

Read 5 remaining paragraphs | Comments

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our […]

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permissions.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen foul of Apple’s rules. One app developer was told by Apple to remove code code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our […]

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permissions.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen foul of Apple’s rules. One app developer was told by Apple to remove code code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our […]

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the company’s app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permissions.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen foul of Apple’s rules. One app developer was told by Apple to remove code code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.

Google Play apps with >4.3 million downloads stole pics and pushed porn ads

The 29 apps concealed their malice and were hard for many infected users to uninstall.

Screenshots of the pop-up ads displayed by malicious apps that were available in Google's Play Store.

Enlarge / Screenshots of the pop-up ads displayed by malicious apps that were available in Google's Play Store. (credit: Trend Micro)

Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts.

A blog post published by security firm Trend Micro listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities.

“None of these apps give any indication that they are the ones behind the ads, thus users might find it difficult to determine where they’re coming from,” Trend Micro Mobile Threats Analyst Lorin Wu wrote. “Some of these apps redirect to phishing websites that ask the user for personal information, such as addresses and phone numbers.”

Read 6 remaining paragraphs | Comments

Google starts pulling unvetted Android apps that access call logs and SMS messages

Google is removing apps from Google Play that request permission to access call logs and SMS text message data but haven’t been manually vetted by Google staff. The search and mobile giant said it is part of a move to cut down on apps that have access to sensitive calling and texting data. Google said in […]

Google is removing apps from Google Play that request permission to access call logs and SMS text message data but haven’t been manually vetted by Google staff.

The search and mobile giant said it is part of a move to cut down on apps that have access to sensitive calling and texting data.

Google said in October that Android apps will no longer be allowed to use the legacy permissions as part of a wider push for developers to use newer, more secure and privacy minded APIs. Many apps request access to call logs and texting data to verify two-factor authentication codes, for social sharing, or to replace the phone dialer. But Google acknowledged that this level of access can and has been abused by developers who misuse the permissions to gather sensitive data — or mishandle it altogether.

“Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app’s primary use case, and that users will understand why this data would be required for the app to function,” wrote Paul Bankhead, Google’s director of product management for Google Play.

Any developer wanting to retain the ability to ask a user’s permission for calling and texting data has to fill out a permissions declaration.

Google will review the app and why it needs to retain access, and will weigh in several considerations, including why the developer is requesting access, the user benefit of the feature that’s requesting access, and the risks associated with having access to call and texting data.

Bankhead conceded that under the new policy, some use cases will “no longer be allowed,” rendering some apps obsolete.

So far, tens of thousands of developers have already submitted new versions of their apps either removing the need to access call and texting permissions, Google said, or have submitted a permissions declaration.

Developers with a submitted declaration have until March 9 to receive approval or remove the permissions. In the meantime, Google has a full list of permitted use cases for the call log and text message permissions, as well as alternatives.

The last two years alone has seen several high profile cases of Android apps or other services leaking or exposing call and text data. In late 2017, popular Android keyboard ai.type exposed a massive database of 31 million users, including 374 million phone numbers.

Google Play malware used phones’ motion sensors to conceal itself

To elude emulators, banking trojan would trigger only when infected devices moved.

Enlarge (credit: Andri Koolme / Flickr)

Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection—they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks.

The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers—and possibly Google employees screening apps submitted to Play—are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.

Read 5 remaining paragraphs | Comments

Millions of Android users tricked into downloading 85 adware apps from Google Play

Another day, another batch of bad apps in Google Play. Researchers at security firm Trend Micro have discovered dozens of apps, including popular utilities and games, to serve a ton of deceptively displayed ads — including full-screen ads, hidden ads and running in the background to squeeze as much money out of unsuspecting Android users. […]

Another day, another batch of bad apps in Google Play.

Researchers at security firm Trend Micro have discovered dozens of apps, including popular utilities and games, to serve a ton of deceptively displayed ads — including full-screen ads, hidden ads and running in the background to squeeze as much money out of unsuspecting Android users.

In all, the researchers found 85 apps pushing adware, totaling at least 9 million affected users.

One app — a universal TV remote app for Android — had more than five million users alone, despite a rash of negative reviews and complaints that ads were “hidden in the background.” Other users said that there were “so many ads, [they] can’t even use it.”

The researchers tested each app and found that most shared the same or similar code, and often the apps were similarly named. At every turn, tap or click, the app would display an ad, they found. In doing so, the app generates money for the app maker.

Some of the bad adware-ridden apps found by security researchers. (Image: Trend Micro)

Adware-fueled apps might not seem as other apps packed with malware or hidden functionality, such as apps that pull malicious payloads from another server after the app is installed. At scale, that can amount to thousands of fraudulent ad dollars each week. Some ads also have a tendency to be malicious, containing hidden code that tries to trick users into installing malware on their phones or computers.

Some of the affected apps include: A/C Air Conditioner Remote, Police Chase Extreme City 3D Game, Easy Universal TV Remote, Garage Door Remote Control, Prado Parking City 3D Game, and more. (You can find a full list of apps here.)

Google told TechCrunch that it had removed the apps, but a spokesperson did not comment further.

We tried reaching out to the universal TV remote app creator but the registered email on the since-removed Google Play store points to a domain that no longer exists.

Despite Google’s best efforts in scanning apps before they’re accepted into Google Play, malicious apps are one of the biggest and most common threats to Android users. Google pulled more than 700,000 malicious apps from Google Play in the past year alone, and has tried to improve its back-end to prevent malicious apps from getting into the store in the first place.

Yet the search and mobile giant continues to battle rogue and malicious apps, pulling at least 13 malicious apps in sweep in November alone.

7 Android Apps That Add Features to Google Play Store

playstore-extensions-apps

The Google Play Store on your Android device is the heart of Google’s ecosystem to buy apps, games, books, and movies. It gets periodic updates to improve engagement, app discovery, recommendations, and suggest popular apps. But despite these updates, Google still hasn’t added other useful features and tweaks many users have asked for. We’ll show you some apps that let you get more out of the Play Store if you find the standard offering lacking. 1. Purchased Apps: Easy Access to All Your Paid Apps Keeping track of all your apps is impossible, especially when you switch to a new…

Read the full article: 7 Android Apps That Add Features to Google Play Store

playstore-extensions-apps

The Google Play Store on your Android device is the heart of Google’s ecosystem to buy apps, games, books, and movies. It gets periodic updates to improve engagement, app discovery, recommendations, and suggest popular apps.

But despite these updates, Google still hasn’t added other useful features and tweaks many users have asked for. We’ll show you some apps that let you get more out of the Play Store if you find the standard offering lacking.

1. Purchased Apps: Easy Access to All Your Paid Apps

Keeping track of all your apps is impossible, especially when you switch to a new device or do a factory reset. The Play Store’s Library tab lists all the apps you’ve installed and those that aren’t on your device. Unfortunately, it does not show you which apps you bought in the past or reveal any in-app purchases. The Account > Order History page also does not offer much help, as it lists other content along with apps.

Purchased Apps gives you easy access to all your paid apps. Log in with your Google account, and within a few moments your entire order history will show up. Tap the hamburger menu to show your total number of purchases, money you’ve spent, and their breakdown by category. The app lets you sort purchases by name, date, and price.

You can also filter them by Installation status or Purchase type. Tap on the More menu and then Filter to access these. From the dialog box that appears, check your selection criteria. For example, you can choose to list apps you’ve bought but aren’t installed on your device. You can even export the list as CSV file for safekeeping or sharing with friends.

Download: Purchased Apps (Free)

2. AppSales: Track Paid App Discounts

Developers often put their apps on sale through the Play Store. But there’s no easy native way to find these deals or track the prices of individual apps. AppSales offers you a convenient way to discover and download the best paid apps and games that have gone free or are on sale. Their manual review process cuts out the junk and ensures that you get the best apps.

By default, it shows apps with a minimum discount of 25 percent. They must also have at least 100 downloads and an average rating of 3.5. To change the criteria, tap the hamburger menu and choose Settings > Filter. Drag the slider forward for each section and check Hide expired sales.

You can also filter apps by categories. For example, if you’re not interested in games, then tap Settings > Categories and deselect the entire Games category. AppSales also lets you monitor the apps on your watchlist for price cuts. Open the app’s page in the Play Store, then tap Share and choose AppSales. Check the price history of that app to track pricing patterns over the last 60 days.

Open the hamburger menu and choose Watchlist Charts to see which apps are trending. If you subscribe to AppSales premium, you’ll also get notifications for in-app sales, launch sales, and voucher codes. You can also add unlimited apps to the watchlist and track their price history over a full year.

Download: AppSales (Free, subscription available)

3. App Watcher: See Release Notes Without Installing

There are millions of apps on the Play Store, but it’s not practical to install dozens of apps just to see what features they offer. The Play Store lets you add apps to a wishlist so you don’t forget about them, which can help. But if they get any new features or improvements, you won’t get a notification about it.

App Watcher is a What’s New? app manager that monitors Play Store changelogs for apps you don’t have installed. It provides you quick access to the What’s New? section, letting you know about new features, bug fixes, and level updates for games. To add an app, open its page in the Play Store, then tap Share and choose Add to App Watcher.

If you have any apps on your wishlist, it’ll import the apps for you. Or if you know the app name, you can directly search for it in App Watcher. The updater checks for app updates in the background. When the process completes, it highlights the app in the Recently updated section, and you’ll also get a notification. You can also tag your apps to organize them or synchronize the list with Google Drive.

Download: App Watcher (Free)

4. Beta TestingCatalog: New Apps for Beta Testing

With support for beta testing baked into the Play Store, you can try out cutting-edge versions of your favorite apps before they get released to everyone. But the Play Store doesn’t give you a single place to browse apps available for beta testing, and the beta testing process is not optimized for feedback analysis. Enter Beta TestingCatalog.

It’s a community of beta testers and developers designed to distribute beta apps and exchange feedback. When you open the app for the first time, tap the hamburger menu to explore all the options. Tap Catalog to see a list of popular apps for beta testing, with daily updates. The Installed section retrieves a list of your installed apps that have beta testing available.

Since the community manually reviews the app selection process, you’ll not find every app available here. Once you find an app for beta testing, follow our instructions to enroll in the Play Store’s beta testing program. You’ll find both Opt-in and Join buttons, plus relevant beta details and their changelog in the description. TestingCatalog also lets you search for apps and browse them based on categories.

Download: Beta TestingCatalog (Free)

5. Error Codes & Fixes: Solve Play Store Issues

Whenever you encounter a problem in the Play Store, it’s easy to get frustrated. The cryptic error codes shown by the Play Store don’t offer much help to solve these problems. This app contains guides and troubleshooting steps on how to solve the most common Play Store problems like error code 495, 505, 492, and more.

You can browse the error codes or input a code to see the relevant troubleshooting steps. On the downside, the app displays full-screen ads. While this is a small price to pay for resolving Play Store problems, it’s worth a try if you’re tired of searching Google. Alternatively, you can also browse this massive list of Play Store error codes from XDA.

Download: Error Codes & Fixes (Free)

6. Subscriptions: Track App Subscriptions and Services

Many apps and services on the Play Store rely on subscriptions. Unfortunately, the Subscriptions option in the Play Store doesn’t offer you much help. It shows the due date of your subscription and allows you to set up alternative modes of payment, but that’s it. Thankfully, there’s a better option.

The Subscriptions app lets you track all kind of services, phone contracts, public transportation, and any other service you can think of in a neat and intuitive interface. You can choose from 30+ subscription presets or even add your own. To do this, tap the Plus button and select a subscription service from the list.

If a service or app you use isn’t listed, tap the Plus button in the upper-right corner and type in its details manually. Finally, tap Remind me and choose to receive a reminder either a day or week before the subscription renews to decide whether to keep it. If you use multiple Android devices, your subscription info will sync across them.

Download: Subscriptions (Free, premium version available)

7. App Backup & Restore: Batch Backup and Restore

Developers frequently update their apps to bring new features and fix bugs. But sometimes upgrading to a newer version can cause problems. It might add new bugs, introduce a deluge of ads, or even crash on launch. Also, if you don’t have much space on your phone, you might hesitate to apply updates regularly.

While the Play Store doesn’t let you make a backup of your apps, App Backup & Restore allows you to store, archive, or delete backups directly from its interface. Just check an app and tap Backup. Tap the More menu and then Settings to change the backup path. There are some interesting options to explore in Settings. For example, under the Auto Backup section, check Auto Backup to back up every time you update an app.

If you find the new app version unstable for any reason, tap Restore to reinstall the app from the backup. You can also choose to back up specific apps and send them to other devices via Wi-Fi or through WhatsApp.

Download: App Backup & Restore (Free) | App Backup & Restore Pro ($19)

Don’t Forget Google Play Store Tips and Tricks

The Play Store is just like any other app marketplace. Periodic updates to the Store improve stability and performance, but Google’s focus is entirely on user engagement, app discovery, and revenue. With these apps, you can extract useful features from the Play Store without much extra effort.

Did you know the Play Store has many great lesser-known features and secrets that make it even better? If this interests you, have a look at the best Google Play Store tips and tricks for Android users.

Read the full article: 7 Android Apps That Add Features to Google Play Store

Consumer advocacy groups call on FTC to investigate kids’ apps on Google Play

A coalition of twenty-two consumer and public health advocacy groups, led by Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD), have today filed a complaint with the Federal Trade Commission asking them to investigate and sanction Google for how its Google Play Store markets apps to children. The complaint states that […]

A coalition of twenty-two consumer and public health advocacy groups, led by Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD), have today filed a complaint with the Federal Trade Commission asking them to investigate and sanction Google for how its Google Play Store markets apps to children. The complaint states that Google features apps designed for very young children in its Play Store’s “Family” section, many of which are violating federal children’s privacy law, exposing kids to inappropriate content, and disregarding Google’s own policies by luring kids into making in-app purchases and watching ads.

Google Play ‘Family’ Section

Google first introduced its “Designed for Families” program back in 2015, which gives developers of kid-friendly apps meeting certain guidelines additional visibility in the Play Store. This includes a placement in the Family section, where apps are organized by age appropriateness.

To qualify, “Family” apps must abide by specific content policies, Google’s Developer Distribution Agreement, and the Designed for Families DDA Addendum. The apps must also meet the Designed for Families program requirements. Legal compliance with federal privacy laws, including COPPA (Children’s Online Privacy Protection Rule), are among the requirements.

COPPA is designed to protect children under the age of 13 by giving parents control over what information sites and apps can collect from their kids.

Above: Google Play store showcases children’s content in its own dedicated sections

COPPA Violations

But the new FTC complaint claims that Google is not verifying COPPA compliance when it accepts these apps and, as a result, many are in continual violation of the law.

“Our research revealed a surprising number of privacy violations on Android apps for children, including sharing geolocation with third parties,” said Serge Egelman, a researcher at the University of California, Berkeley, in a statement shared by the group. “Given Google’s assertion that Designed for Families apps must be COPPA compliant, it’s disappointing these violations still abound, even after Google was alerted to the scale of the problem,” he added.

TechCrunch asked the coalition if it had some idea about how many apps were in violation of COPPA, and were told the groups don’t know an exact number.

“From our survey – and more comprehensive analyses like the PET Study – it seems fairly prevalent,” Lindsey Barrett, Staff Attorney at Georgetown’s Institute for Public Representation, told us.

“The PET Study found that 73% of the kids apps in the Play store transmitted sensitive data over the internet, and we saw apps sending geolocation without notice and verifiable parental consent, and sending personal information unencrypted,” Barrett said. “Further, under COPPA, children’s PII cannot be used for behavioral advertising. Yet, many of the children’s apps we looked at were sending information to ad networks which say their services should not be used with children’s apps,” she added.

Other Harms

The apps also engage in other bad behaviors like regularly showing ads that are difficult to exit or showing those that require viewing in order to continue the current game, according to the complaint. Some apps pressure kids into making in-app purchases – in one example, the game characters were crying if the kids didn’t buy the locked items, it notes. Others show ads for alcohol and gambling, despite those being barred by Google’s Ad Policy.

Above: disturbing images from TabTale apps

The coalition additionally called out some apps for containing “graphic, sexualized images” like TutoTOONS Sweet Baby Girl Daycare 4 – Babysitting Fun, which has over 10 million downloads. (The game has a part where kids change a baby’s diaper, wipe their diaper area, then rub powder all over the baby’s body.) Others model harmful behavior, like TabTale’s Crazy Eye Clinic, which teaches children to clean their eyes with a sharp instrument, and has over one million downloads. (The game is currently not available on Google Play and its webpage is down.)

The complaint also broadly takes issue with apps that use common SDKs like those from Unity or Flurry (disclosure: Flurry and TechCrunch share a corporate parent) to collect device identifiers from the children’s apps.

“Nearly three-quarters of the apps in the Family section transmit device identifiers to third parties,” reads the complaint. “There is no way for us to know for sure what the device identifiers are used for. Since many of the apps send device identifiers to third parties that specialize in monetizing apps and/or engaging in interest-based (behavioral) advertising, it seems unlikely that this information is being used solely to support internal operations,” it says.

Above: Strawberry Shortcake Puppy Palace was called out for aggressive monetization efforts. Strawberry tells kids to buy things to keep the puppy happy – the implication is if you don’t pay, you’re making puppies sad.

The groups say that Google has been aware of all these problems for some time, but hasn’t taken adequate steps to enforce its criteria for developers. As a result, the consumer advocacy groups are urging the FTC to investigate the Play Store’s practices.

The coalition had previously asked the FTC to investigate developers of children’s apps aimed a preschoolers who were using manipulative advertising. But today’s complaint is focused on Google.

“Google (Alphabet, Inc.) has long engaged in unethical and harmful business practices, especially when it comes to children,” explained Jeff Chester, executive director of the Center for Digital Democracy. “And the Federal Trade Commission has for too long ignored this problem, placing both children and their parents at risk over their loss of privacy, and exposing them to a powerful and manipulative marketing apparatus. As one of the world’s leading providers of content for kids online, Google continues to put the enormous profits they make from kids ahead of any concern for their welfare,” Chester said.

Apple was not similarly called out because a similar analysis has not yet been done on its app marketplace, Josh Golin, Executive Director at CCFC told us. In Google’s case, he explained, two major studies found widespread issues with the Play Store apps for kids. One from Berkeley researchers found widespread COPPA non-compliance; the other, by University of Michigan researchers, found children’s play experience was often completely interrupted and undermine by aggressive marketing tactics.

The complaint comes at a time where there is increased scrutiny as to how tech companies are misusing and abusing consumer data and violating privacy. Kids game have already been the subject of some of some concern. And this morning, an NYT investigation into Facebook revealed it had shared more of users’ personal data than disclosed with major tech companies, following a year of data scandals.

The issue of data privacy is an industry-wide problem. Tech companies’ failures on this front will likely lead to increased regulation going forward.

Google and the named developers were not immediately available to comment this morning. We’ll update if comments are provided.

The full complaint is below.