Sonic the Hedgehog Android games caught leaking personal data

Mobile security researchers at cybersecurity firm Pradeo have discovered that many of Sega’s Sonic the Hedgehog Android games were leaking users’ data to uncertified servers.

The games in question, Sonic Dash, Sonic Boom and Sonic the Hedgehog Classic have been downloaded hundreds of millions of times from the Google Play Store.

Pradeo discovered that the three games were sending information such as location and device data to 11 distant servers, three of which were uncertified.

Most of the distant servers are used for legitimate purposes such as marketing but the three suspicious servers were linked to unwanted library apps.

A software library is a suite of data and programming code that is used to develop software programs and applications. It is found bundled with certain Android applications.

What exactly got leaked?

Along with sending a user’s location to unidentified servers the Sonic the Hedgehod Android games also leaked mobile network information such as service provider name and network type.

Device information including the manufacturer, commercial name, battery level and the operating system version number were also found to be compromised.

As well as the leaking of sensitive data Pradeo also found 15 vulnerabilities in the games.

These include two flaws that make devices susceptible to man-in-the-middle attacks.

Others were found to be potentially exploitable to DDoS attacks and the leaking of sensitive data with weak encryption.

How bad is it?

In a blog post researchers wrote: “Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need.

“In most cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, user data, gallery, contact lists, browser history and SMS.”

In response, Sega issued a statement saying it is now investigating the matter. The company said: “Sega works diligently to address any technical issues that could compromise customer data.

“If any third-partners are collecting, transmitting, or using data in a manner that is not permitted by our agreement with the third party or Sega’s mobile privacy policy, prompt corrective action will be taken.”

With over three and a half million apps available on Google Play Store it is inevitable some would be compromised.

In the meantime gamers should be wary of downloading Sonic the Hedgehog apps until updates have been issued.

MAIN IMAGE: Sonic Dash/Google Play Store