Facebook is suing One Audience, a data analytics company that allegedly developed a malicious SDK, or software development kit and then paid app developers to include it in their apps.
Facebook filed its suit on Thursday and California and alleged that the apps that had been polluted were downloaded onto devices through a number of different app stores, which includes Google Play.
Once the app had been installed by the user, the SDK would maliciously collect data from the users’ Twitter, Google, and Facebook accounts.
According to Facebook, the data collected included information like email address, location, time zone, name, Facebook ID, and occasionally the gender. The SDK would funnel the data back to the company that is based in New Jersey, without Facebook’s express permission. They also violated a couple of data privacy laws in the process, too.
Director of Facebook’s Litigation and Platform Enforcement Jessica Romero says that the platform first found out about One Audience’s actions after security researchers red-flagged the behavior.
Facebook had already tried to shut One Audience down in late 2019 by disabling apps and issuing a cease-and-desist letter. Facebook also asked One Audience if they would undergo an audit, which they refused.
Security researchers also made One Audience known to Twitter in late 2019, and Twitter says that its own group of security researchers found that SDK was potentially responsible for exploiting loopholes and vulnerable security systems, which made it easy for them to siphon data. However, Twitter at the time couldn’t find any evidence of accounts being hijacked in this way.
According to the suit that Facebook filed Thursday, the SDK was also able to collect things like call logs, as well as other location information including contacts and even browser history. Apparently, this was all done to offer marketing to One Audience’s customers.