AI Apps on Google Play Leak Millions of User Photos & Data | Security Breach
A security investigation has revealed that multiple AI-powered applications available on the Google Play Store have been leaking substantial amounts of user data, including photos, videos, and personally identifiable information. The breaches, stemming from unsecured configurations, raise significant privacy concerns for Android users.
One of the most prominent examples is “Video AI Art Generator &. Maker,” an app offering AI-driven photo and video editing features. The application, which had over 500,000 downloads before the vulnerability was discovered, exposed a staggering 12 terabytes of user-uploaded content. This included more than 1.5 million personal images, over 385,000 videos, and millions of AI-generated media files – approximately 2.87 million AI-generated images, 2.87 million AI-generated videos, and over 386,000 AI-generated audio files, according to researchers at Cybernews.
The data leak occurred due to a misconfigured Google Cloud Storage bucket that lacked authentication, allowing anyone who discovered it to access the stored files. The exposed storage contained files dating back to the app’s launch in mid-June 2023, suggesting that every user upload since its inception was potentially compromised.
The app is linked to Codeway Dijital Hizmetler Anonim Sirketi, a Turkish company. However, the application was not prominently featured on the developer’s official website, and Codeway’s Play Store profile lists only a limited number of other apps. Cybernews also noted that another app from the same developer, Chat & Ask AI, had previously experienced a separate data exposure incident due to a backend misconfiguration.
Beyond the image and video editing app, another application, IDMerit, also suffered a data leak. This app, focused on identity verification, exposed know-your-customer (KYC) data and personally identifiable information (PII) from users in 25 countries, with a significant concentration in the United States. The leaked information included full names, addresses, birthdates, identification documents, and contact details – a full terabyte of sensitive data.
This type of data is particularly valuable to malicious actors, providing the building blocks for identity theft, fraud, and other cybercrimes. The exposure of KYC data is especially concerning, as it often contains highly sensitive information required for financial transactions and legal verification.
Researchers attribute the root cause of these leaks to insufficient oversight by developers regarding data access management. These security flaws highlight serious vulnerabilities in how application developers handle sensitive user data, particularly when granting broad access permissions without adequate scrutiny.
Following the discovery of the leaks, Google collaborated with the affected developers to secure the compromised databases and restrict public access to the exposed files. Some of the applications have also been removed from Google Play Store search results. However, as of , Google has not issued a formal statement outlining the steps taken to prevent similar incidents in the future or to ensure user protection against comparable risks.
Cybersecurity experts emphasize the importance of user caution when granting permissions to applications, especially those lacking established reputations or robust technical reviews. Users should carefully consider the access requests made by apps, particularly regarding photos, files, and sensitive personal information.
The incidents underscore the growing risks associated with the proliferation of AI-powered applications and the need for stronger security measures to protect user data. As AI technology becomes more integrated into everyday life, ensuring the privacy and security of personal information will become increasingly critical. The lack of stringent oversight and security practices among some developers raises questions about the overall security landscape of the Android app ecosystem and the potential for further data breaches.
These vulnerabilities aren’t isolated incidents. They represent a broader trend of unsecured AI applications posing a threat to user privacy. The ease with which these data leaks occurred highlights the need for more rigorous security audits and improved data protection protocols within the Google Play Store and across the Android platform.