These ad blockers and VPNs are spying on you: What to do

Siri presenting 'Go ahead, I'm listening' in text on iPhone screen.
(Image credit: Wachiwit/Shutterstock)

Some widely used best VPN, ad-blocking and utility apps for Android and iOS are secretly collecting user data, BuzzFeed News has found.

The apps, including Luna VPN, Adblock Focus, Mobile Data and Free and Unlimited VPN, were all created by Sensor Tower, a San Francisco data-analytics firm that, according to its website, helps app developers "understand the mobile ecosystem and maximize the potential of mobile advertising in order to efficiently generate quality, high-value users."

If you install one of these apps on iOS or Android, BuzzFeed News said, the app will add a cryptographic root certificate that, in our understanding, would let it stage a man-in-the-middle attack on encrypted communications. The Sensor Tower app would be able to read all or most of the phone's network traffic.

"Your typical user is going to go through this and think, Oh, I'm blocking ads, and not really be aware of how invasive this could be," Malwarebytes threat analyst Armando Orozco told BuzzFeed News.

What you need to do

Apple has removed Adblock Focus from the App Store, but Luna VPN is still there. The Android version of Adblock Focus was still in the Google Play Store at the time of this writing, along with Luna VPN, Mobile Data and Free and Unlimited VPN. BuzzFeed did not name any other Sensor Tower-associated apps.

Three screens from the Adblock Focus listing in the Google Play app store.

Three screens from the Adblock Focus listing in the Google Play app store. (Image credit: Orbital Software/Google)

If you have one of these apps installed, you should obviously remove it. Our general advice is to not use any VPN mobile app that offers totally free, unlimited service, because it's got to make money some other way, and the quickest is by collecting and selling user behavioural patterns. As the old adage goes, if you're not the customer, then you're the product.

BuzzFeed News said Sensor Tower had created at least 20 smartphone apps with at least 35 million downloads since 2015. An Apple spokesperson told BuzzFeed News that several other apps associated with Sensor Tower had earlier been removed from the App Store, but didn't name them.

Breaking the rules

Perhaps surprisingly, a Sensor Tower representative confirmed the apps' hidden abilities, but insisted that all user data fed to Sensor Tower's clients was aggregated and anonymized so that individual users might not be identified.

That might not be enough to keep the apps in the Google Play and Apple App stores. Installing a root certificate would likely violate both stores' terms of use. 

Sensor Tower allegedly got past Apple and Google's app screeners by not putting the root certificate in the versions of the apps that users download from the stores. Instead, users are apparently tricked into installing the root certificates after installation. 

BuzzFeed News showed how a pop-up window in the Luna VPN iOS app offered to block ads in YouTube; if the user clicked "OK," the app would install the root certificate. 

Hiding the apps' true origins

None of the apps mention Sensor Tower in their descriptions in the Android or iOS app stores. Luna VPN's developer is listed as Emban Networks; Adblock Focus by Orbital Software, Inc.; and Mobile Data and Free and Unlimited VPN by Gibli Mobile. Each of these were the only apps associated with those developers.

Both Apple and Google require that all developers have a website to which an app's listing can link to, and all three of these companies presented bare-bones websites, although some of the websites' names didn't match what was listed in the app stores. 

BuzzFeed News didn't list any other apps created by Sensor Tower, and we weren't able to tell whether the company had any other apps in either the iOS or Android app stores. However, the Adblock Focus and Luna VPN apps use a lot of the same imagery.

Luna VPN app screengrabs as show in the Google Play app store.

Luna VPN app screengrabs as show in the Google Play app store. (Image credit: Emban Networks/Google)

Speaking with BuzzFeed News, Sensor Tower's Randy Nelson defended his company's decision to hide its role in creating and distributing these apps.

"When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense," Nelson told BuzzFeed News. 

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.