Facebook sues data analytics firm OneAudience over malicious SDK

Facebook is suing the data analytics firm OneAudience for allegedly developing a malicious, social-media-profile-grabbing software development kit (SDK) and then paying app developers to embed it in their apps.
In a complaint filed in California on Thursday, Facebook charged that the polluted apps – which included shopping, gaming and utility-type apps – were inflicted onto mobile devices through various app stores, including Google Play. Once users installed the apps, the malicious SDK would slurp up information from their devices and from victims’ Facebook, Google, or Twitter accounts, if users logged into the app using those accounts.
According to the complaint, OneAudience’s malicious SDK swiped the data that Facebook users had agreed to share with the app – data that may have included their name, email address, the country where they logged in from, time zone, Facebook ID, and, sometimes, gender. The SDK funneled the data back to the New Jersey data analytics outfit, Facebook said, all without the company’s permission, and in violation of Federal and California law, its policies, and its terms of service – including those pertaining to use of its Facebook Login feature.
Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation, said in a press release on Thursday that the platform first got wind of it after security researchers flagged the SDK’s bad behavior in its data abuse bounty program. In November 2019, Facebook tried to shut OneAudience down by sending a cease-and-desist letter and disabling apps.
The social media titan also asked OneAudience to participate in an audit, but the firm demurred.
Also in November, security researchers gave Twitter a heads-up about the ill-mannered SDK. Twitter said that its own security team found that the SDK could potentially slip into the mobile ecosystem to exploit a vulnerability having to do with a lack of isolation between SDKs within an app, which could enable the malicious SDK to slurp email, username, and last tweet. At the time, Twitter hadn’t found evidence of any accounts having been hijacked due to the malicious SDKs, but that’s what the vulnerability could have led to.
According to Facebook’s complaint, the SDK also got grabby with the user’s device, collecting call logs, cell tower and other location information, contacts, browser information, email, and information about installed apps.
This was all done to provide marketing to OneAudience’s customers, Facebook says. It’s alleging that OneAudience also lied about being partners with Facebook on its website. From the complaint:

In fact, OneAudience did not obtain data through any partnerships with Facebook and instead obtained data through the malicious SDK.

The complaint includes exhibits of the marketing puffery that OneAudience used to assure customers that its collection and marketing of all that data was kosher. A sample from Exhibit 2, from OneAudience’s “What We Collect” and “How the Data is Used” site pages:

All of our data is permission based and fully-compliant, meaning it’s been confirmed by the user to access and collect his or her personal data. We are also transparent in our terms and conditions and privacy policy so the user is aware of what is being collected and how it is being used. The user has the freedom to opt in or opt out at any point without affecting his or her access to app usage.

Facebook is looking for a jury trial. It wants OneAudience to stop all this, and it’s looking for the court to award damages.
Romero said in the press release that this just the latest in a string of lawsuits that Facebook’s filed to try to “protect people and increase accountability of those who abuse the technology industry and users.”

Cases that Facebook’s filed over the past year

Chastened as it is by blowback and payback over its own privacy practices, Facebook’s been hot on the lawyer front this past year. By my count, this is the sixth lawsuit the platform has filed against data-grabby third parties. We’ll put it on top of the year-long pile that also includes:

• In March 2019, Facebook sued two Ukrainians – Gleb Sluchevsky and Andrey Gorbachov – for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes.
• In May 2019, Facebook sued Rankwave, a South Korean social media analytics firm, alleging that the company abused Facebook’s developer platform’s data, that Rankwave refused to cooperate with the platform’s mandatory compliance audit, and that it likewise spurned Facebook’s request to delete data.
• In August 2019, it filed suit against two app developers – LionMobi and JediMobi – for putting apps onto Google Play that allegedly installed malware on users’ phones. The malware then created fake user clicks on Facebook ads, making it look like the phones’ owners had clicked on ads that they hadn’t actually touched.
• In October 2019, Facebook’s WhatsApp subsidiary sued spyware maker NSO Group for allegedly being behind an attack that silently installed spyware just by placing a video call to a target’s phone.
• In December 2019, Facebook sued ILikeAd for allegedly inflicting a malicious extension on victims’ browsers to steal their Facebook logins, take over their ad accounts, run bad ads, and then use the victims’ own payment information to pay for the ads.

These suits will teach those data suckers to keep out, said Facebook’s Romero:

Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation, and advance the state of the law when it comes to data misuse and privacy.

Facebook has been eager to point to all the apps it’s booted: it was up to tens of thousands as of September 2019.
But bear in mind that app developers aren’t necessarily a plague of privacy locusts sucking Facebook dry without its permission or its knowledge. Facebook has a history of using access to user data sometimes as a carrot, and sometimes as a stick, depending on whether a developer or company was seen as a friend or a rival, as was illustrated when staff’s private emails were published by a fake news inquiry in the UK in December 2018.

Latest Naked Security podcast