Android tablet
Android tablet ciupa/Pixabay

A new study published this week by researchers at Virginia Tech found thousands of popular Android apps are capable of colluding with one another to share user data and information without permission.

The study, which was conducted by professors from the Department of Computer Science in Virginia Tech’s College of Engineering, analyzed 100,206 apps from the Google Play Store and found 23,495 pairs of apps that communicated with one another to collect and share user data.

Read: Windows Malware: More Than 100 Android Apps In Google Play Store Infected With Windows Virus

This tactic of collusion, in which apps communicate with one another without the user’s knowledge, allow some apps and services to bypass restricted permissions and gain access to information collected by other apps.

"Researchers were aware that apps may talk to one another in some way, shape or form,” Assistant Professor Gang Wang said in a statement. “What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.”

While there were a significant number of pairings found in the sample size of more than 100,000 apps, there was a relatively small number of primary offenders. There were 54 apps responsible for instigating the sharing of information, while the rest of the apps were complicit in handing over data.

Most of those apps initiating the sketchy data sharing practice were ones that perform innocuous tasks. According to the research team, the biggest security risks were apps that pertained to personalization of ringtones, widgets and emoji.

Read: Popular Android VPN Apps Put Users At Risk, Researchers Find

For the most part, the risk of unwanted data sharing is still relatively low, assuming users don’t have one of the instigating, invasive apps installed on their device. However, without proper protections on the user end and rules for developers, there is always the risk these types of apps become more prominent.

Nikolaos Chrysaidos, the head of mobile threat intelligence and security at Avast, told International Business Times that users should be aware most Android apps are collecting user data of some sort and users should be aware of what they are collecting and why.

“If an app contains malware, it is likely the goal of its developer to gather as much information about the user [as possible],” he said. “Given there is no need for such apps to be secure, a big percentage of this data is usually transferred over the network with no encryption, which adds further risk to the user and their data.”

Chrysaidos noted that genuine apps will collect data as well, but it is primarily used to improve the app itself. Free apps will often collect a wider swath of user information to sell or use for targeted advertising. Those types of apps can potentially be obtrusive when it comes to user data.

The mobile security expert advises users take basic precautions to avoid putting themselves at risk. He suggested users avoid third-party app stores that have lower standards than the Google Play Store, avoid apps with low ratings and bad reviews, and install a mobile security service to protect against potential threats and identify bad actors.