Researchers have discovered a new hiding place for spyware: Chrome extensions.
Among these are productivity manager Block Site for Android, iOS and Firefox; iOS ad-blocker Adblock Prime; Chrome and Firefox extension Popper Blocker; and mouse-gesture customizer CrxMouse. (It's worth noting that the research comes from AdGuard, a competitor.)
What to Do Now
If you have any of these apps and are concerned for the security of your browsing history, we recommend disabling them immediately. This should serve as a reminder to all users going forward: Don't download apps from developers you don't know.
As a failsafe, Android users can go into Settings, look for Security and make sure Unknown Sources is toggled off.
Insidious Extensions and Apps
The researchers found that the Chrome and Firefox extensions were sending an exact address of every page a user visited to a remote server. On iOS, the apps offered to install a Mobile Device Management profile from Safari directly to users' phones. This gave Big Star Labs access to the list of apps present on the device and user browsing history, and could also allow it to remotely install third-party apps.
The Android apps requested access to the "Accessibility Services" section of a user's settings, the section that allows users with disabilities to optimize their interactions. Once granted that access, Big Star Labs can remotely tap and swipe on a user's device, and extract page URLs from the browser's address bar.
A number of apps were doing this in direct violation of their privacy policies, many of which claimed that they anonymized ISPs associated with users, or that they didn't share browsing data with third parties.
Who Is Behind This?
The researchers say the apps and extensions belong to a Delaware company called "Big Star Labs." This company doesn't seem to have much in the way of an internet presence, and the researchers only discovered it by perusing privacy policies.
Why is this a problem? Because of the ambiguity of the source of this tracking collection, it's unclear who exactly has your browsing data from these apps. It's also unclear who they'll be selling it to. As we learned from last year's Equifax breach, your data may be at risk even in the hands of reputable actors.