Sega investigating claims Android Sonic games are leaking data

The games publisher has promised swift justice if any third party is found to be responsible for the claimed leaks.
Written by Chris Duckett, Contributor
(Image: Sega)

Sega has said it is looking into claims that a trio of its Sonic games for Android are leaking personal data.

Security company Pradeo said late last week that it had discovered the Android games -- Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom -- were leaking user location data and device info. Based on the download ranges offered by the Play Store, collectively the leaks could impact between 120 million and 600 million users.

Among the tracking and advertising issues, the security firm also said it found two issues that could result in man-in-the-middle attacks, and a bagful of others that could potentially lead to encryption weakness and denial of service.

On average, Pradeo said the Sonic games have 15 vulnerabilities each.

In response, Sega told ZDNet it is looking into the claims to determine their accuracy.

"Sega works diligently to address any technical issues that could compromise customer data," the company said.

"If any third-party partners are collecting, transmitting, or using data in a manner that is not permitted by our agreement with the third party or Sega's mobile privacy policy, prompt corrective action will be taken."

Android apps found in the Play Store doing possibly dodgy things is far from being a new concept.

Earlier this month, Check Point found malware hidden in 22 apps within the Play Store, which had been downloaded between 1.5 million and 7.5 million times.

The purpose of the malware was to generate ad revenue by repeatedly displaying pop-up adverts in ways that forced the user to click them before they could continue using their device. For example, users were forced to press on adverts before ending calls and accessing other apps.

Days earlier, researchers at Trend Micro said they had found 36 security apps on the Play Store that served malware instead of protecting users.

In addition, the malicious apps also sneakily harvested user data, tracked devices' location, and repeatedly and aggressively pushed advertising onto the screen.

In November, a piece of banking malware was found in the Play Store for a third time, after it was removed twice during 2017.

Dubbed BankBot, the malware stole banking credentials and payment information by tricking users into handing over their bank details by presenting an overlay window that looks identical to a bank's app login page.

Related Coverage

Malware masquerading as flashlight apps uncovered in Google Play Store

Millions of people may have already downloaded the malicious apps.

Android security: Sneaky three-stage malware found in Google Play Store

Tens of thousands of users have downloaded two newly uncovered forms of malware.

Android security: First Kotlin-based malware found in Google Play Store

Malware researchers have spotted what they think is the first malicious Android app using the Kotlin language.

Google is nuking malware in the Play Store (TechRepublic)

The tech firm finally stopped the spread of Tizi, the malware designed to swipe social media credentials.

36 fake security apps in the Google Play Store downloaded malware, stole data, tracked locations (TechRepublic)

Google has removed several Android apps that secretly harvested user information, according to TrendMicro.

Editorial standards