When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data. More than 16,700 of those pairs also involved privilege escalation, which means the second app received a type of sensitive information that it’s typically forbidden from accessing.

In one striking example, the study highlighted an app that provides prayer times for Muslims. It retrieves the user’s location and makes it available to other apps on the smartphone. More than 1,500 receiver apps, if installed on the same device, can get the location sent by the prayer-times app. Of those, 39 apps leak the location data to potentially dangerous destination.

Relatively small groups of unsecured apps were behind the enormous number of leaky connections. The 16,700 app pairs that exhibited privilege escalation all involved one of 33 sender apps. And the roughly 6,700 app pairs that leaked data without privilege escalation all involved one of 21 sender apps. Twenty sender apps appeared in both categories. The problematic apps came in various forms: from entertainment and sports to photography and transportation apps.

Collusive leaks aren’t always intentional—and it’s very difficult to tell when they are. But no matter the aim, leaks of sensitive information without a user’s permission carry potential for abuse.

Sometimes, only one app in a pairing may seem intentionally malicious. An app can take advantage of a security flaw in another app to steal data and extract it to a distant server, for example. Other times, both apps are poorly designed, creating an accidental data flow from one app to another, and then from the second to a log file.

The study found that smartphone location was more likely to be leaked than any other type of information. It’s easier to imagine how a user’s real-time location could be abused than, say, knowing what networks that person’s smartphone is connected to. But smaller details like network state can be used to “fingerprint” a device—that is, to identify it and keep track of what its user does over time.

When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS. Sixteen sender apps and 32 receiver apps used permission escalation and extracted leaked data in one of those two ways.