According to a new study by French security firm Eurecom, many of the top Android apps in the Google Play store send user data to a number of ad and tracking sites. A few of these apps even connect to possibly malicious websites.

Android Apps

Reviewed the top 2,000 Android apps in Google Play store

The research team downloaded the top 2,000 apps in the Google Play store and analyzed how they worked. Altogether the apps sent data to 250,000 different urls across around 2,000 top level domains. Most apps were just connecting to a few ad and tracking sites, but others were clearly designed to exploit, sending user data to thousands of sites.

The researchers highlight “Music Volume Eq,” an Android app to control volume, a simple task that does not need to contact to any external urls. But their research determined that was not the case: “We find the app Music Volume EQ connects to almost 2,000 distinct URLs.”

It turns out more than 10% of the Android apps they tested connect to over 500 separate urls.

Fewer apps connect to user tracking. In fact, over 70%  of apps do not send data to user tracking sites. However, some of the apps that do send data to user tracing sites connect to over 800 sites. Of note, a number of these sites are owned by organizations that have been designed as “top developers” by Google. An app named Eurosport Player connects to 810 user tracking sites.

Even more worrisome, a few of the apps even connect to sites associated with malware despite Google Play’s supposed screening process.

Google complicit in problem?

Of note, the Eurecom researchers also discovered that nine out of 10 of the most frequently contacted ad-related domains by these apps are run by Google. This obviously leads to the question is this why Google has long refused to do more than gives apps a cursory review before allowing sales. people have long wondered why the Apple app store thoroughly vets all apps before publication, but Google just doesn’t. This study raises the question if Google is aware of the issue, but is complicit in allowing Google Play Store apps to siphon off user data as it is ultimately boosting their ad revenues.