AI apps on the Google Play store are leaking customer data and photos
Source: Mashable Tech
Overview
Not every AI tool you encounter in the Google Play store is the same. Many of them may pose a significant privacy gamble for users. A plethora of unlicensed or unsecured AI apps on Android, including those marketed for identity verification and editing, have exposed billions of records and personal data, cybersecurity experts have confirmed.
Specific Cases
Video AI Art Generator & Maker
A recent investigation by Cybernews found that the Android app Video AI Art Generator & Maker leaked:
- 1.5 million user images
- Over 385 000 videos
- Millions of AI‑generated media files
Researchers discovered a misconfiguration in a Google Cloud Storage bucket that left personal files vulnerable to outsiders. In total, more than 12 TB of users’ media files were accessible via the exposed bucket. The app had 500 000 downloads at the time of the breach.
IDMerit
Another app, IDMerit, exposed know‑your‑customer (KYC) data and personally identifiable information from users across 25 countries, predominantly in the United States. The leaked information included:
- Full names and addresses
- Birthdates and IDs
- Contact information
The breach amounted to roughly 1 TB of data. Both app developers resolved the vulnerabilities after being notified by researchers.
Broader Security Concerns
Cybersecurity experts warn that lax security practices among AI apps pose a widespread risk. Many AI apps store user‑uploaded files alongside AI‑generated content and employ a criticized practice known as hardcoding secrets—embedding API keys, passwords, or encryption keys directly into the app’s source code.
Cybernews found that 72 percent of the hundreds of Google Play AI apps analyzed had similar security vulnerabilities, highlighting the need for stronger security standards across the ecosystem.