Sega has said it is looking into claims that a trio of its Sonic games for Android are leaking personal data.
Security company Pradeo said late last week that it had discovered the Android games -- Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom -- were leaking user location data and device info.
Based on the download ranges offered by the Play Store, collectively the leaks could impact between 120 million and 600 million users. Among the tracking and advertising issues, the security firm also said it found two issues that could result in man-in-the-middle attacks, and a bagful of others that could potentially lead to encryption weakness and denial of service. On average, Pradeo said the Sonic games have 15 vulnerabilities each. In response, Sega told it is looking into the claims to determine their accuracy. "Sega works diligently to address any technical issues that could compromise customer data," the company said.
"If any third-party partners are collecting, transmitting, or using data in a manner that is not permitted by our agreement with the third party or Sega's mobile privacy policy, prompt corrective action will be taken."
Android apps found in the Play Store doing possibly dodgy things is far from being a new concept. Earlier this month, Check Point found malware hidden in 22 apps within the Play Store, which had been downloaded between 1.5 million and 7.5 million times.
The purpose of the malware was to generate ad revenue by repeatedly displaying pop-up adverts in ways that forced the user to click them before they could continue using their device. For example, users were forced to press on adverts before ending calls and accessing other apps.
Days earlier, researchers at Trend Micro said they had found 36 security apps on the Play Store that served malware instead of protecting users. In addition, the malicious apps also sneakily harvested user data, tracked devices' location, and repeatedly and aggressively pushed advertising onto the screen.
In November, a piece of banking malware was found in the Play Store for a third time, after it was removed twice during 2017. Dubbed BankBot, the malware stole banking credentials and payment information by tricking users into handing over their bank details by presenting an overlay window that looks identical to a bank's app login page.
Download SafeUM — communicate privately, without advertising and spam.
