The data collection is not limited to Facebook but also targets browsing history, including all the regular and sponsored Facebook posts, tweets, YouTube videos, and ads.

Facebook is undoubtedly the number one social media website in the world and home to personal data of over 2.19 billion users worldwide – That makes it a lucrative target for malicious hackers, cybercriminals, state-sponsored agencies and most importantly advertisers.

After the Cambridge Analytica scandal, Facebook vowed to limit data collection for third-party advertisers but it is evident that these advertisers always find ways to collect user data. In a recent campaign, a third-party advertiser (who has been named later in the article) has been found not only collecting data from Facebook users but also their browser history and location-related information.

The campaign was exposed by Andrey Meshkov, Co-founder of Adguard, who dubbed it as a “huge spyware campaign.” According to Meshkov, the campaign is currently being utilized to steal data through popular Chrome extensions and Android apps used by millions of users worldwide.

More: Sensitive myPersonality App Data of Millions of Facebook Users Exposed

It must be noted that the campaign is not limited to Facebook data but also collects browsing history, including all the regular and sponsored Facebook posts, tweets, YouTube videos, and ads.

List of Chrome extensions collecting & sharing user data

According to AdGuard’s findings, currently, there are four Chrome extensions (there could be more) collecting user data and sharing it with a third-party advertiser who sells the data further to other parties for revenue. Unfortunately, each extension has been installed on thousands of browsers such as:

Video Downloader For Facebook extension has been installed by over 170,000 users. A look at its reviews shows the extension indeed downloads Facebook videos but what users are not aware of the fact is that it constantly snoops on their online activities, collects and shares their personal data.

PDF Merge – PDF Files Merger extension with over 125,000 installs claims to allow users “take their separated pdf files and merge them into one PDF file easily, fast, efficient and most important.” A look at its review section shows the extension is quite popular and doing what is claims but according to its privacy policy reviewed by AdGuard, it does more than it offers by collecting user data including Facebook credentials and other personal data and share it with a third party.

Album & Photo Manager For Facebook extension has been installed on over 91,000 people. Its developers claim to provide an authentic Facebook album manager service, however, a look at its review section reveals the extension actually does nothing other than collecting user data and sharing it with a third party.

Pixcam – Webcam Effects extension has over 26,000 installs and claims to be a “webcam effects application, which allows users to make photo effects and filtering easy.” A look at its review section shows the extension does not work for the majority of users which indicates that its sole purpose is to collect user data from their browser activity and share with a third party.

According to Meshkov, these spyware extensions work in such a way that once a user is logged into their Facebook account, they scrape all their data immediately after the browser startup. Furthermore, these extensions attempt to collect user purchase history including credit or debit card related activity – This itself is enough evidence for Google to remove these extensions from Chrome store.

Once the collection is complete the spyware sends the data to an Amazon web service (AWS) S3 bucket in a hashed form while the location data is sent in plain-text format. This location data includes Facebook user’s IP address, mobile device location, city, state, and country.

Here is a list of Android apps collecting Facebook user data and sharing advertisers:

List of Android apps collecting & sharing user data

The data collecting saga does not end here. In fact, it continues and in the second phase, highly popular Android apps on Google Play store are collecting the same user data as discussed in case of Chrome extensions. In this case, the third-party advertiser with whom the data is being shared is also the same.

Currently, there are two Android apps (there could be more) with millions of installs are collecting user data such as:

Fast – Social App: This app claims to be an alternative and free client to manage Facebook accounts. Its developers proudly claim that “Fast has been downloaded more than 10 Million times with more than 140k reviews.” However, its privacy policy openly states collecting personal data of users.

More: Localblox exposes personal data of millions of Facebook & LinkedIn users

“Unimania collects nonpersonally identifiable demographic and psychographic data as well as sponsored campaigns, advertisements or posts that target you directly or that have been shared with you,” according to Fast – Social app’s privacy policy.

Fast Lite – Social App + Twitter is run by same developers with 1,000,000+ installs and according to its privacy policy it functions the same way and collects the same data.

“Scanning these developer apps’ traffic confirmed that “Fast-Social App” transfers pretty much the same data as the Chrome extensions do and to the same servers,” noted Meshkov.

Israeli connection and how exactly data is being collected

The whole campaign is a bit tricky since there are no attackers involved neither does it require hacking of user device. In fact, all the aforementioned Chrome extensions and Android application have been sharing data with the third-party Israeli firm, Unimania.

An in-depth look at Unimania’s privacy policy shows that the company openly accepts collecting personal data and sharing it with others for different purposes including financial.

“What Information We Collect and How We Collect It. In general, the Information we collect includes nonpersonally identifiable demographic and psychographic data as well as sponsored campaigns, advertisements or posts that target you directly or that have been shared with you,” says Unimania.

Furthermore, Unimania admits sharing the collected data which opens a new pandora box. Here is a screenshot from their privacy policy page that explains “The Way We Use Information.”

Simply put: AdGuard’s research exposes a campaign in which Android apps and Chrome extensions are stealing users’ Facebook data and spying on their social network browsing history. It further collects user interests and demographics and location-related data.

In total there are 400,000 Chrome users affected by this campaign while personal data of 11,000,000 Android users are currently being sold through two apps.

In malware campaigns, it is advised that users must install anti-malware on their system and keep their operating system updated. However, in this case, there are two suggestions: Stop downloading unnecessary apps and extensions but most importantly start reading the privacy policy for the product you are about to download.

Remember, Adguard is the same firm who previously exposed over 20 million fake malicious Ad Blocker extensions being used by millions of people around the world. Adguard’s findings were acknowledged by Google Chrome’s security team and all fake Adblocker extensions were removed from Chrome store.

Update:

Google has removed both Fast – Social App and Fast Lite – Social App + Twitter from Play Store after Adguard and HackRead’s reports went public. However, all Chrome extensions are still available on Chrome Web Store.