May 4, 2015 · 2 minutes

New research might convince Android users to think before they download.

Eurecom has found that some applications reach out to almost 2,000 URLs in just a few minutes of usage on a Samsung Galaxy SIII Mini running Android. Many of those URLs are for sites that collect data about consumers to inform advertisements, some of which are shown in the app, some of which aren't.

The researchers monitored the traffic between their smartphone and a server they set up to see what various applications wanted to access over the Internet. They tested some 2,000 free applications from across the Google Play Store's 25 software categories, and in aggregate the apps reached out to 250,000 URLs.

Here's what the researchers at Eurecom conclude in their report:

[Our] results reveal several interesting insights: (i) that a significant number of applications, some highly rated, download an excessive number of advertisements which indicate that users may not be as sensitive to advertisements as anecdotally conjectured; (ii) a large number of applications communicate with a multiplicity of online tracking entities, a fact to which users may not be aware; and (iii) we find some applications communicating with websites that have been deemed malicious by malware detection engines. Our results underscore the need for greater transparency in the network interaction of mobile applications on the Android App store(s).
Google announced earlier this year that it would begin monitoring applications before they are uploaded to the Play Store. At the time, I wrote that the move could make it harder for developers to distribute malicious software to Android users, mostly because they could no longer release their apps without delay.

Yet there's a good reason why many of these applications -- some of which don't need to visit any URLs to function, and are sending customer data for no reason besides their creator's greed -- are cleared for distribution in the Play Store. They are sending all this information to services operated or praised by Google.

As MIT Technology Review notes in its report on Eurecom's study:

The team say about 10 percent of the apps they tested connect to more than 500 different urls. And nine out of 10 of the most frequently contact ad-related domains are run by Google.

The user tracking sites that apps connect to are less pervasive. More than 70 percent of apps do not connect to any user tracking sites. But those that do can be extravagant, some connecting to more than 800 user tracking sites. What’s more many of these are created by organizations that Google has designated with 'top developer status.' The worst offender is an app called Eurosport Player which connects to 810 different user tracking sites. All of which means that Google is allowing various applications to share customer data with hundreds or thousands of websites into the Play Store. At the same time, it's rewarding some of the worst actors with "top developer status," and running the ad-related sites most-visited by these applications.