Are You Up to Speed on the Big Star Labs Security Threat?

By Des Nnochiri

The way apps and extensions can gather data on people has been drawn into sharp focus recently. While many people accept sacrificing a certain amount of privacy as the cost of a free-at-point-of-use internet, some companies clearly have been willing to cross the line into intrusion and manipulation. 

The first of these shady organizations to be dragged kicking and screaming into the harsh light of day, thanks to some exemplary journalism by the UK’s Channel 4 and Guardian newspaper, was Cambridge Analytica. The data analytics firm used apps to illegally harvest personal information from more than 50 million Facebook profiles and used the data to build complex psychological profiles with the power to allegedly swing elections around the world.

While Cambridge Analytic folded (at least in its present form), and Facebook CEO Mark Zuckerberg was hauled before Congress to answer on how the intrusion was allowed to happen, the story doesn’t end there.

A Malicious Discovery

This time, the reveal comes from ad-blocking platform AdGuard. During regularly-scheduled automated scans which AdGuard carries out of Google Chrome extensions as part of its normal running, the company stumbled across something breathtaking.

Four browser extensions, used by an estimated 420,000 people, were making suspicious data requests to several Facebook domains.

• Video Downloader for F
• Facebook (170K+ users)
• Album & Photo Manager for Facebook (92K+ users)
• PDF Merge – PDF Files Merger (125K+ users)
• Pixcam – Webcam Effects (31K+ users)

These spyware extensions were scraping the data of their users immediately after browser startup if they were logged into Facebook. And, let’s face it, most people are logged into Facebook.

(Image source: adguard.com)

Upon further investigation, the issue was found to be not just limited to these four suspects, but multiple browser extensions and mobile apps have been invisibly and illegally collecting data on over 11 million people – across all platforms, including Android and iPhone devices.

The full list of spyware is:

•  Block Site. Privacy policy.
  • Android app with 100,000+ installs.
  • Chrome extension with 1,440,000+ users.
  • Firefox extension with 119,000+ users.
• AdblockPrime. Privacy policy.

An ad blocker for iOS. It’s hard to estimate the user count as it is not distributed via App Store.

• Mobile health club apps. Privacy policy.

Developer of several popular Android utilities.

• • Speed BOOSTER – an Android app with 5,000,000+ installs.
  • Battery Saver – an Android app with 1,000,000+ installs.
  • AppLock | Privacy Protector – an Android app with 500,000+ installs.
  • Clean Droid – an Android app with 500,000+ installs.
• Poper Blocker. Privacy policy.
  • Chrome extension with 2,280,000+ users.
  • Firefox extension with 50,000+ users.
• CrxMouse. Privacy policy.
  • Chrome extension with 410,000+ users.

So, if you presently have any of these malicious pieces of software installed on your devices, stop reading now, go and uninstall them, revoke their permissions, and then come back.

Big Star Labs

Okay, you’re back? Great, we can continue.

As if the story couldn’t get any more curious, every single one of these apps and extensions is owned by a newly-registered company in Delaware, Big Star Labs. Unfortunately, Big Star Labs doesn’t seem to really exist; they have no website, no physical presence, and almost no internet footprint at all, which makes it nearly impossible to track down the beneficiaries of the data breach (i.e. those with whom the harvested data is shared).

“Big Star Labs is pretty good at hiding their affiliated apps and websites,” said Andrey Meshkov with AdGuard Research. “Every document that contains the company name is an image (in other words, you cannot simply Google their name), they use different accounts in extension stores, and the domain owners aren’t publicized. It made me use some serious Google-fu to find a bunch of Android apps which belong to the same “Big Star Labs” company: Speed BOOSTER, Battery Saver, AppLock | Privacy Protector, Clean Droid, Block Site.”

These apps all claim in their privacy policies that the information they gather is non-personal and anonymized but, with enough data, de-anonymizing it is not a difficult task. Your real name is easy to get from your Facebook profile and, by comparing data against social media profiles, algorithms can deduce almost everything about you, as demonstrated in 2017 research by Stanford University.

Final Thoughts

Big Star Labs seems set to be the next hot topic for high-profile data breaches. With the Cambridge Analytica scandal still so fresh in the news, it seems likely that, as time goes on, we’ll see many more of these kinds of unscrupulous companies being brought to the fore.

In the meantime, take care with the apps you install. However, Big Star Labs is so well hidden that even the most diligent of users is unlikely to have drawn the connections between all the apps and extensions they are responsible for.

This is likely to be a story to keep an eye on.

Zoë