Facebook sues data analytics firm OneAudience over malicious SDK
Facebook is suing the data analytics firm OneAudience for allegedly developing a malicious, social-media-profile-grabbing software development kit (SDK) and then paying app developers to embed it in their apps.
In a complaint filed in California on Thursday, Facebook charged that the polluted apps – which included shopping, gaming and utility-type apps – were inflicted onto mobile devices through various app stores, including Google Play. Once users installed the apps, the malicious SDK would slurp up information from their devices and from victims’ Facebook, Google, or Twitter accounts, if users logged into the app using those accounts.
According to the complaint, OneAudience’s malicious SDK swiped the data that Facebook users had agreed to share with the app – data that may have included their name, email address, the country where they logged in from, time zone, Facebook ID, and, sometimes, gender. The SDK funneled the data back to the New Jersey data analytics outfit, Facebook said, all without the company’s permission, and in violation of Federal and California law, its policies, and its terms of service – including those pertaining to use of its Facebook Login feature.
Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation, said in a press release on Thursday that the platform first got wind of it after security researchers flagged the SDK’s bad behavior in its data abuse bounty program. In November 2019, Facebook tried to shut OneAudience down by sending a cease-and-desist letter and disabling apps.
The social media titan also asked OneAudience to participate in an audit, but the firm demurred.
Also in November, security researchers gave Twitter a heads-up about the ill-mannered SDK. Twitter said that its own security team found that the SDK could potentially slip into the mobile ecosystem to exploit a vulnerability having to do with a lack of isolation between SDKs within an app, which could enable the malicious SDK to slurp email, username, and last tweet. At the time, Twitter hadn’t found evidence of any accounts having been hijacked due to the malicious SDKs, but that’s what the vulnerability could have led to.
According to Facebook’s complaint, the SDK also got grabby with the user’s device, collecting call logs, cell tower and other location information, contacts, browser information, email, and information about installed apps.
This was all done to provide marketing to OneAudience’s customers, Facebook says. It’s alleging that OneAudience also lied about being partners with Facebook on its website. From the complaint:
In fact, OneAudience did not obtain data through any partnerships with Facebook and instead obtained data through the malicious SDK.
The complaint includes exhibits of the marketing puffery that OneAudience used to assure customers that its collection and marketing of all that data was kosher. A sample from Exhibit 2, from OneAudience’s “What We Collect” and “How the Data is Used” site pages:
Facebook is looking for a jury trial. It wants OneAudience to stop all this, and it’s looking for the court to award damages.
Romero said in the press release that this just the latest in a string of lawsuits that Facebook’s filed to try to “protect people and increase accountability of those who abuse the technology industry and users.”