Millions of Britons’ internet addresses are being sold online without their knowledge, allowing fraudsters and criminals to raise ticket prices, create fake social media followers and to conduct cyber attacks.
Software hidden within smartphone apps allows individuals and organisations to route internet traffic through devices owned by members of the public. It can be used to mask traffic to social networks and online retailers, experts said.
Luminati, an Israeli start-up owned by a British investor, boasted that it had access to 1.7 million Britons' internet protocol (IP) addresses and millions more worldwide.
The company legally obtains access to people's connections by embedding software within apps that run on Android smartphones. Another proxy network provider, Oxylabs, boasts of 1.1m British IP addresses and GeoSurf, which Luminati is suing for allegedly stealing its technology, said it has tens of thousands.
Luminati says that it offers reputable Fortune 500 clients a way to detect advertising fraud and check cyber security. However, it is not clear to the Britons giving up their IP addresses, which is linked to their residential address, what they are sharing and for what purpose.
When alerted by The Telegraph, Google, which operates Android, banned apps that share users' devices with Luminati, GeoSurf and Oxylabs and wrote to app makers ordering them to remove its code unless the app was specifically advertised as for joining a proxy network.
Apple had already blocked apps that run on its iPhone from running such software.
"Apps that facilitate proxy services to third parties may only do so in apps where that is the primary, user-facing core purpose of the app," Google said.
Impersonal computing | What apps are selling my internet address?
It can be hard to tell which apps might be secretly sharing your internet addresses to companies.
There is no law enforcing app developers to declare when they are sharing your IP address in a proxy network.
We know that some apps state in their T&Cs that users will be connected to the Luminati network. This includes Hola VPN, Mobdro, Audiosdroid Audio Studio, Speech2text translator, Vocal Calculator, FX Music Karaoke Creator, Portable ORG Keyboard, London Underground Tube Map (by Desoline), World Map, Battery Booster, Fake GPS.
GeoSurf uses Urban VPN.
It is unclear what apps GeoSurf and Oxylabs depend on for residential and mobile IP addresses although the companies claim to ask developers to declare its use in their fine print.
Apps that featured the software included EagleGet, a downloading tool, Tube Map, a London Underground planner, and a number of text-to-translator apps, voice calculators and audio editing apps including Audiosdroid Audio Studio, Speech2text translator, Vocal Calculator, FX Music Karaoke Creator, Portable ORG Keyboard, Desoline’s London Underground Tube Map, World Map, Battery Booster.
The virtual private network Hola, Urban VPN and Mobdro, a video streaming service, also involving sharing an address with proxy network's clients.
Luminati pays Android and Windows app developers to get access to devices that download an app. It offers $5,000 (£4,100) for every 100,000 addresses. It avoids being classed as malicious software because it is written in the fine print that the user is "becoming a peer on the Luminati network" however users may not be aware that they are forming part of a network that could be used to make an "unfair internet" or potentially for harmful purposes.
Ticket touts can use the service to impersonate other internet users by avoiding checks that limit how many tickets an individual can buy. Luminati offers a specific "ticketing" case study on its website along with social account management and ticket bots are banned on Ticketmaster.
Luminati says that it asks customers to undertake a compliance test when they buy IP addresses.
Businesses might use the services to impersonate other internet users, for example by ticket touts to avoid checks that limit how many tickets they can buy. Companies can also use them to "scrape" data from rival retailers by posing as thousands of different customers.
No comments:
Post a Comment