I installed top 100 apps: my Android phone contacted Russia and China at night


Could your phone be sending data to Russia and China without you knowing and while you’re sleeping? Well, it probably does.

The experiment idea was simple. Take a factory-reset Android phone, download the 100 top free apps from the Play Store, start them once, give them the permissions they ask, and then leave the phone connected to the internet for 24 hours unused.

To check which servers, when, and where the phone would connect to, I routed all the traffic through a private DNS (Domain Name System) service. DNS is like a phone book of the internet – you ask DNS how to reach Cybernews.com, for example, and it provides the needed IP address where to go.

ADVERTISEMENT

I even went an extra step and created new empty accounts for Google and social media apps, including Facebook and TikTok, and authorized with them where it was possible.

On the Play Store, the top 100 apps differ depending on the geographic location, changing constantly. The experiment was conducted in the middle of Europe, from Vilnius, Lithuania. Strangely, the X app was not included among the top here, it was listed at 125.

The quality of installed apps deserves a dedicated discussion, but in short, most of them basically do the same thing. They flood the phone with notifications and serve you ads, which are sometimes interrupted with gimmicky features, such as turning on a flashlight, doodling, viewing PDFs, or prank calls from Santa.

phone-notifications

Armed with all that useful software, I expected the phone to lag, but to my surprise, the budget Samsung a52s dealt with that many apps without any trouble.

Requests landed in high-risk countries

During the three days of the experiment, my phone contacted various servers 6296 times – sending that many DNS queries.

DNS queries, while revealing the IPs and their approximate location, do not tell what data was sent or for which apps.

ADVERTISEMENT

The phone connected to Russian IP addresses at least 39 times. I didn’t even have any Yandex apps installed, but the phone was reaching out to Yandex servers.

Among the visited servers were those:

  • report.appmetrica.yandex.net
  • mobile.yandexadexchange.net
  • ae01.alicdn.com
  • startup.mobile.yandex.net
  • yandex.ru

Logs reveal that yandex.net was accessed at various times: i.e., at 4.42 in the morning, 7.58 AM, 9.54 AM, 5.17 PM, 9.15 PM twice, etc.

traffic-destination

Yandex is a Russian search engine and internet services firm. According to NextDNS, which I used for this experiment, this server provides advertising or advertising-related services such as data collection, behavioral analysis, or retargeting.

Fifteen queries landed in China. My phone’s visited servers include:

  • audid-api.taobao.com
  • adashx.ut.alibaba.com
  • vod-icbu.alicdn.com
  • taomsg-imvod.alicdn.com
  • fourier.taobao.com

I had Alibaba and Aliexpress among the installed apps, but those did not include Taobao.

And three times, my phone even connected to Vietnam to “talk” to these servers:

ADVERTISEMENT
  • data.lutech.vn
  • resources.lutech.vn
  • egoglobal.vn

“Lutech is a leader in ICT services for digital transformation. We create and manage Cloud, Cybersecurity, and Digital solutions for your business objectives,” the company's website states.

Big Tech tracks the most

Every 37 seconds on average, the phone made a connection to a server. 2323 queries were sent during the last 24 hours when the phone was not used at all.

There was no surprise that three companies, Google, Facebook, and Microsoft, accounted for almost 50% of the overall traffic. Google alone made 595 queries (25.6%) from my phone in 24 hours, while Facebook and Microsoft each contributed 12%.

GAFAM traffic

What was surprising, however, was TikTok surpassing the Big Tech trio with at least 717 queries or 30.8% of the phone’s background connections.

Most of the connections were outside of Europe, where I reside. In one day, the phone visited dozens of countries on five continents, but mostly the US.

root-domains
ADVERTISEMENT

I could only hope that this European Commission statement works:

“The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands.”

Apps suck data

Despite not opening and not using the apps, many of them still use some data. Many ranged from a few hundred kilobytes to a few megabytes a day. While the data usage did not seem that high, the phone was empty, and there was nothing on it to snoop around for.

The network monitoring tool revealed that in 24 hours, the phone used 553MB of data, but most of that was used by Google Play store updates and other Google services. Only 20MB were uploaded from my phone.

56MB were used by TikTok, and from that, 3.6MB were uploaded, 47MB were used by Temu, from which 1.23MB were uploaded, and 8.7MB were used (0.24MB uploads) by Health Kit, followed by many phone services.

Many apps, such as AR Draw, Emoji Merge Kitchen, or Filter for Good, used between a hundred kilobytes to one megabyte of data. Proxy Browser used 1.11 MB, while Meta’s Messenger used 941 kilobytes (KB) of data.

Even small amounts of data are more than enough to collect and send sensitive information about the user, such as location, network information, personal identifiers, or text communication and contacts. High data usage could signal audio/video data transmission.

The Samsung phone itself started shutting apps down after a while, notifying me that “some apps have been put in deep sleep because they were sending unnecessary notifications and slowing down your phone.” I was left without two health trackers and one Step Counter.

During the whole experiment, TikTok managed to use 317MB of data while running in the background. Facebook used 73MB, Meta App Manager used 41MB, Temu sent 22.16MB, and “AR Drawing” used 8.26MB. The phone, with all the app downloads and updates, used 8GB of data in total.

ADVERTISEMENT

Cybernews researchers: raises privacy and security concerns

While it is not uncommon for apps to communicate with servers, the situation raises several potential concerns. I perceive phone communication with servers in Moscow or Hangzhou as a potential privacy and security consideration, especially when it occurs without the owners’ knowledge and permission.

It is impossible to know what is transmitted without deeper tech knowledge, network monitoring, and per-app analysis.

I asked the Cybernews research team what they thought about the situation.

“This by itself is not something that is unusual or very suspicious. These endpoints are used quite often in apps to track which ads users have watched, app usage, search patterns, and others. While this is a common practice, it does raise serious privacy and security concerns,” the Cybernews research team said.

According to them, governments in high-risk countries can gain access to the data without user knowledge or consent.

“While the data that is collected by these services is generally not that sensitive, however, journalists, activists, opposition, or other people that could be of interest to governments should take this extremely seriously and be careful. They should avoid using such apps or, at the very least, block traffic tracking services,” researchers noted.

Apps have excessive permissions by default

Cybernews has already reported on many apps asking for too many dangerous permissions. And some permissions cannot be revoked – the only way is to disable or uninstall the app.

“Network permission is granted to most apps by default. It is generally used to send usage data to such trackers or to allow an app that requires an internet connection to function,” Cybernews researchers said. “The internet permission is classified as “normal” by Google.”

ADVERTISEMENT

Normal permissions are automatically granted once the app is installed. Apps are only required to ask for consent for “dangerous” permissions.

“By default, there are no restrictions to what kind of servers the app could connect to once the permission is granted. This is most likely done to simplify the development of these apps and simplify the user experience,” researchers noted.

For user location tracking, apps need location permission, which they need to ask. Apps also can gain information about your network (WIFI SSID, MAC address) and use that as a unique identifier.

“Without investigating the app or the API in question, it is impossible to say what the app could be sending. It could be sending diagnostic data about the performance while it is running in the background, or it could be trying to check the server for new offers or notifications. It could send files or photos from the device in theory, but to access them, it would need to ask for permission or exploit another app with those permissions,” researchers said.

They confirm that everybody’s phone will send information to Google or other vendors, which includes diagnostics, location, and other data points. This activity can be trusted as much as the company behind it can be trusted. Authorities, i.e., police or government agencies, may request and access that data.


ADVERTISEMENT

Comments

Robert Lopez
prefix 11 months ago
How did you route all the traffic to your private DNS?
fred ranger
prefix 11 months ago
So what you're saying is that I should hardcode addresses in my nefarious app if I want to bypass your security testing.
Leave a Reply

Your email address will not be published. Required fields are markedmarked