Ad-blocking software maker AdGuard says it has discovered “multiple browser extensions and mobile apps invisibly collecting users’ browsing history”. Alarmingly, more than 11 million people seem to be using those apps and extensions, seemingly oblivious to the privacy and security risks posed by them. Interestingly enough, the spyware apps are wreaking havoc not only on Android, but also on iOS.

According to the report, the offending apps and extensions belong to what AdGuard describes as ‘a newly registered Delaware company named Big Star Labs’. On its official blog, AdGuard has listed what it claims is the full list of suspicious apps and extensions that belong to Big Star, but says that it hasn’t been able to track down every remote third-party server that receives user-data surreptitiously.

Andrey Meshkov, the co-founder and team lead for the ‘perpetuum mobile’ unit of AdGuard, also says that while conducting an automated scan of the Chrome extensions traffic in search of suspicious requests, he came across “several extensions sending almost identical requests every time one opens a new web page”. Meshkov has published the code on Github to help others check for suspicious traffic originating from their own devices.

Meanwhile, the extensions, called Poper Blocker, Block Site and CrxMouse, are seemingly quite popular and are used by millions. While some of them do admit collecting ‘anonymous browsing data’ to improve their service, Meshkov dismisses such explanations as ‘weak’, and argues that calling people’s browsing history ‘anonymous’ is “a big stretch” to say the least.

The report also lists a bunch of apps – Speed BOOSTER, Battery Saver, AppLock | Privacy Protector, Clean Droid, Block Site – that it says are also from the same company and also indulges in similar behavior. Google seems to have taken note of the report since its publications, because as of July 25, none of the apps are listed on the Play Store any more.

It is worth noting here that Big Star also apparently has an iOS ad-blocker called ‘Adblock Prime’ that Meshkov claims is a privacy nightmare if not an out-and-out malware. The app can explore the full list of apps present on the device (which is forbidden for regular iOS apps), access browser history, and even install third-party apps!

According to lawyer and Data Protection expert Alexey Muntyan, while the behavior of the aforementioned apps and extensions aren’t illegal in the strictest sense of the term, it “automatically casts doubt on compliance with applicable GDPR requirements regarding the subject’s consent to the processing of his or her personal data”.

Meshkov’s lengthy post is filled with a boatload of technical details and additional information that could interest security professionals. Click here to see the report.