Facebook may well be in a privacy breach scandal anew.
The Facebook Android app of the world’s largest social network was collecting phone numbers of people even if they are not members of the site, have not signed in to the application and have not shared their numbers to the public.
This discovery was reported by Symantec Corporation, maker of the Norton security software suite, in a recent blog post where they also announced a new version of their Norton Mobile Security for Android software.
In the update, Norton said that Mobile Insight has examined more than 4 million Android applications and is processing tens of thousands of new apps each day.
Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior,” the security software vendor said. In addition, Mobile Insight tells its user the exact risky behavior an application will perform and give specific, relevant, and actionable information.
“The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks,” Symantec said, introducing how the software surprised them after it tagged the Facebook Android app as a malware.
“Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number,” Symantec revealed.
“The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen,” the company [Emphasis added].
The discovery is significant as hundreds of millions of Android devices have the Facebook Android app installed, according to data from Google Play, Google’s marketplace for applications. This means hundreds of millions of devices have potentially sent the device’s numbers to Facebook.
According to Symantec, they have already reached out to Facebook to confirm the discovery and that Facebook has admitted to what the software vendor discovered.
“We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release,” Symantec said.
Furthermore, Facebook has told them that they have deleted the data from their servers. Symantec said “[Facebook] stated they did not use or process the phone numbers and have deleted them from their servers.”
Featured image from Johan Larsson on Flickr (CC)