The apps, including Luna VPN, Adblock Focus, Mobile Data and Free and Unlimited VPN, were all created by Sensor Tower (opens in new tab), a San Francisco data-analytics firm that, according to its website, helps app developers "understand the mobile ecosystem and maximize the potential of mobile advertising in order to efficiently generate quality, high-value users."
- The best free VPN services: What you can get for (almost) nothing
- Why you should avoid free Android VPNs
- Minority Report-like tech could predict mass shootings — but should we use it?
If you install one of these apps on iOS or Android, BuzzFeed News said, the app will add a cryptographic root certificate that, in our understanding, would let it stage a man-in-the-middle attack on encrypted communications. The Sensor Tower app would be able to read all or most of the phone's network traffic.
"Your typical user is going to go through this and think, Oh, I'm blocking ads, and not really be aware of how invasive this could be," Malwarebytes threat analyst Armando Orozco told BuzzFeed News.
What you need to do
Apple has removed Adblock Focus from the App Store, but Luna VPN (opens in new tab) is still there. The Android version of Adblock Focus (opens in new tab) was still in the Google Play Store at the time of this writing, along with Luna VPN (opens in new tab), Mobile Data (opens in new tab) and Free and Unlimited VPN (opens in new tab). BuzzFeed did not name any other Sensor Tower-associated apps.
If you have one of these apps installed, you should obviously remove it. Our general advice is to not use any VPN mobile app that offers totally free, unlimited service, because it's got to make money some other way, and the quickest is by collecting and selling user behavioural patterns. As the old adage goes, if you're not the customer, then you're the product.
BuzzFeed News said Sensor Tower had created at least 20 smartphone apps with at least 35 million downloads since 2015. An Apple spokesperson told BuzzFeed News that several other apps associated with Sensor Tower had earlier been removed from the App Store, but didn't name them.
Breaking the rules
Perhaps surprisingly, a Sensor Tower representative confirmed the apps' hidden abilities, but insisted that all user data fed to Sensor Tower's clients was aggregated and anonymized so that individual users might not be identified.
Sensor Tower allegedly got past Apple and Google's app screeners by not putting the root certificate in the versions of the apps that users download from the stores. Instead, users are apparently tricked into installing the root certificates after installation.
BuzzFeed News showed how a pop-up window in the Luna VPN iOS app offered to block ads in YouTube; if the user clicked "OK," the app would install the root certificate.
Hiding the apps' true origins
None of the apps mention Sensor Tower in their descriptions in the Android or iOS app stores. Luna VPN's developer is listed as Emban Networks (opens in new tab); Adblock Focus by Orbital Software, Inc. (opens in new tab); and Mobile Data and Free and Unlimited VPN by Gibli Mobile (opens in new tab). Each of these were the only apps associated with those developers.
Both Apple and Google require that all developers have a website to which an app's listing can link to, and all three of these companies presented bare-bones websites, although some of the websites' names didn't match what was listed in the app stores.
BuzzFeed News didn't list any other apps created by Sensor Tower, and we weren't able to tell whether the company had any other apps in either the iOS or Android app stores. However, the Adblock Focus and Luna VPN apps use a lot of the same imagery.
Speaking with BuzzFeed News, Sensor Tower's Randy Nelson defended his company's decision to hide its role in creating and distributing these apps.
"When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense," Nelson told BuzzFeed News.