- Yandex uses software that lets developers create apps for devices which run on Apple and Google systems.
- That software collects user data sent to servers in Russia, which experts say could be used to track people.
- Yandex has faced scrutiny amid allegations of censorship following Russia's invasion of Ukraine.
Smartphone users could be at risk of being tracked by Russian authorities due to app software created by the country's largest internet firm, the Financial Times reported on Tuesday.
Yandex's software development kit, or SDK, called "AppMetrica" lets developers create apps for devices running on Apple's iOS and Google's Android's systems, the outlet reported.
AppMetrica collects user data that is sent to servers in Finland and Russia, the latter of which, experts told the FT, could potentially be accessed by the Kremlin to track individuals. The paper reported that games, VPNs and messaging applications are among the apps that have AppMetrica installed.
Yandex, sometimes referred to as Russia's version of Google, has come under close scrutiny following Moscow's invasion of Ukraine. The internet giant has been accused of censoring news from Ukraine, and the company's former head of news has urged his ex-colleagues to quit over the firm's role in potentially aiding censorship. Western sanctions levied against Russia have triggered the resignation of several of its board members.
"The AppMetrica SDK claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across websites and apps," Zach Edwards, the researcher who made the discovery, told the FT.
He told the outlet that the use of apps with AppMetrica installed by individuals with "high profile jobs" could leave them vulnerable to "dangerous" attacks or other forms of surveillance.
Yandex told the newspaper that its software does collect "device, network and IP address" data which is stored in Russia and Finland, but that it is "limited" data, incapable of identifying users and that the company has a strict process when dealing with government requests. The company additionally said that the SDK requires consent from a user to access its data.
It also told the outlet that its software "operates in the same way as international peers," such as Google's app-building platform, Firebase.
Yandex did not immediately respond to Insider's request for comment.
Another expert, Cher Scarlett, who formerly worked in global security at Apple, told the FT that if data is collected on Russian servers, local legal regulations could force Yandex to provide it to authorities there.
US Senate finance committee chair Ron Wyden criticized Google and Apple for not taking action against Yandex's software, telling the FT: "These apps leech private, sensitive data from apps on your phone, threatening US national security and the privacy of Americans and other individuals around the world."
"We're always working to improve privacy and transparency on Google Play, including efforts around SDKs, and are reviewing the allegations in this report," a Google spokesperson told Insider, referring to the FT's report. "When we find apps that violate Google Play's policy, we take appropriate action."
Apple told the FT that accessing user data would require consent from the user. The company did not immediately respond to Insider's request for comment.
In recent weeks, some app developers have removed AppMetrica from their apps, the FT reported, such as Gismart, a games-app developer.
"We made a decision to stop using Russian-owned services when the war started," Gismart's spokesperson told the FT.
Web browser Opera told the newspaper that it had disabled Yandex's SDK on February 15 and was preparing for its "full removal."