In that post, the team has included a link directing a bundle of data dump for August and September stored in a cloud storage service called Mega.
As soon as the post was published, researchers and penetration testers across the world downloaded the data dump, either through the device browser or mega browser provided by mega cloud service. While downloading, the data dump from the cloud service, users are restricted in certain downloads and are asked to download the mega browser from Playstore to access such files.
Here, the problem starts. While analysing the browser’s data in availing permissions, the browser is noted to access the camera for taking pictures, followed by the permissions to read the installed user’s contacts. It is uncertain as to why the browser accesses users contacts.
Similar to it, a feedback app, Sarahah, claiming itself to be anonymous, was defamed as a privacy breacher for collecting user contacts, by media outlets across the world a month ago.
Now, we found this app with similar issues. So, actors and penetration testers are requested to check with the permissions of such apps. It is advisable to avoid installing such apps from third-party sites to prevent such problems. Also, check with the permissions often with the apps in settings tab in your smartphone.