Google LLC has reportedly removed dozens of apps from the Google Play Store after researchers found they included software for collecting user data for a company with alleged ties to U.S. security agencies.

The Wall Street Journal reported today that spy software found in the apps came from Panamanian company Measurement Systems S. de R.L. The company is said to be linked through corporate records and web registrations to a Virginia defense contractor who does cybersecurity intelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.

The Journal claims that Management Systems paid developers worldwide to incorporate its software development kit into its apps. The SDK allowed the company to collect data from users of those apps. The company told developers that it specifically wanted data from the Middle East, Central and Eastern Europe and Asia.

The code was found inside several Muslim prayer apps that have been downloaded more than 10 million times, a highway-speed-trap detection app and a number of other popular consumer apps. In total, it’s estimated that apps with the spy software were installed on at least 60 million Android devices.

Serge Egelman, a researcher at the International Computer Science Institute and the University of California at Berkeley and Joel Reardon of the University of Calgary discovered the code and informed Google, federal privacy regulators and the Journal.

The two researchers run a mobile app security company called AppCensus. On the AppCensus blog, Reardon goes into more detail.

The software, described by Reardon as “Coulus Coelib,” receives various forms of data from users running apps with the code included. The software collects phone numbers, email addresses, GPS data and details such as phone identification markers.

The Measurement Systems SDK can also collect information stored in a phone’s clipboard, such as passwords, whenever the cut-and-paste feature is used and also has the ability to scan some parts of the phone’s system, including files stored in the WhatsApp downloads folder. WhatsApp is the most popular messaging app in the world.

“A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals,” Reardon wrote.

After the researchers informed Google of their findings, the apps running the software were removed from the Google Play Store on March 25. A spokesperson for Google noted that the apps could return to the store if the spy software is removed.

In response to the report, the Defense Department said that it buys “publicly and commercially available data to inform analysis of foreign threats to national security.”

Measurement Systems has denied the report, saying that the accusations are false and it has no links to U.S. defense contractors.

Image: Google