Cyber Cache

Contact Us

Forced Spyware on Samsung Phones in MENA: The AppCloud & IronSource Controversy

Estimated Reading Time: 10 minutes

Samsung smartphone users in the Middle East and North Africa (MENA) have recently been alerted to a serious privacy threat lurking in certain devices. Owners of Galaxy A-series and M-series phones discovered a hidden, pre-installed application called AppCloud silently collecting their data without smex.org alestiklal.net This app – essentially bloatware baked into the operating system – cannot be easily removed and has raised alarm among digital rights organizations. Investigations revealed that AppCloud is linked to an Israeli-founded company, ironSource, and was introduced on Samsung devices in the region through a partnership in 2022nasdaq.com sunnafiles.com The situation has been described as “forced spying” on Samsung phones in MENA, with grave implications for user privacy and regional security.

What is AppCloud (and Aura)?

AppCloud is an application that comes pre-installed on Samsung Galaxy A and M series smartphones, particularly those distributed in West Asia and North Africa nasdaq.com sunnafiles.com Unlike typical apps, AppCloud doesn’t appear as a user-facing app you can easily open or uninstall. It runs as part of the system software (firmware), making it bloatware – unwanted software included by the manufacturer smex.org smex.org Notably, Samsung expanded its partnership with ironSource in late 2022, making ironSource’s software the default on all new A/M models in over 50 markets across MENA nasdaq.com. In practice, this meant AppCloud was embedded on these devices out-of-the-box, without users’ knowledge or permission.

IronSource Aura Integration: IronSource (now a subsidiary of Unity Technologies) provides a solution suite called Aura for device makers and carriers. According to a press release, Aura is designed to “provide relevant content, apps and services” on devices, ostensibly to enhance user experience nasdaq.com On Samsung phones, AppCloud functions as the hook for Aura. Once AppCloud is present, it installs another component called “Aura”, which surfaces app recommendations and content to the user alestiklal.net alestiklal.net. Samsung portrays this as a way to personalize and “upgrade” the device experience nasdaq.com . However, security researchers have found that behind these friendly app suggestions lies a data-harvesting operation.

Data Collection and Privacy Risks

Extensive Data Harvesting: Investigations by the Lebanese digital rights group SMEX and others uncovered that AppCloud (and the Aura apps it brings in) collect an alarming range of personal data from the device. This includes:

  • Device Identifiers: unique device IDs and device fingerprints (a combination of device attributes that uniquely identify it)smex.org alestiklal.net.
  • Network Data: the phone’s IP address, which can reveal general location and network info smex.org alestiklal.net.
  • Personal/Biometric Data: potentially biometric identifiers like fingerprint information, and other personal details about the user smex.org alestiklal.net. (The app’s privacy policy – when it could be traced – explicitly mentioned collection of biometric data and other sensitive info smex_smart_phones smex_finger.)
  • App Usage and Activity: the applications you install or use, and your interactions within them. Aura’s business model is to recommend or auto-install apps, so it monitors your app activity to push “relevant” apps nasdaq.com. This means it can log which apps are opened and possibly other in-app events, building a profile of your usage patterns.
  • Location Data: Geolocation can be inferred or collected. While Samsung/ironSource have not openly detailed this, the data collected can pinpoint the user’s city or country via IP. Moreover, if the user has granted any location-sharing settings that Aura can tap into, it could obtain precise location coordinates. Observers note that the collected data “enables identification and geographical location of the phone’s owner” effectively tracking where a user is alestiklal_spyware. In other words, if location services are active, AppCloud/Aura could harvest real-time location, greatly amplifying the privacy risk.

 

No Transparency or Consent: Perhaps most disturbing is that all this data collection happens silently, without user consent or awareness. Samsung did not inform users at device setup that a data-collection service was running in the background. There is no prompt to grant permissions specifically for AppCloud/Aura; it comes pre-approved as part of the system. Users in MENA were essentially opted in by default to an Israeli-built tracking service on their personal phones smex.org smex.org. Furthermore, no easily accessible Privacy Policy or Terms are provided for AppCloud on the devicessmex.orgsmex.org. SMEX researchers noted that AppCloud isn’t listed in app stores or Samsung’s app listings online, and its privacy policy was hidden until they traced it back to ironSource smex.org. This opacity means users have no idea what specific data is being siphoned or for what purpose – a blatant violation of standard privacy norms.

Comparison to Spyware: Given these behaviors, experts and media in the region have labeled AppCloud a form of spyware. It operates covertly and gathers sensitive personal information, much like malicious surveillance software. In fact, Al-Estiklal Newspaper reported that this hidden app poses “significant risks, especially if you are a potential target of Israeli surveillance”alestiklal.net alestiklal.net. The data harvested could potentially be used to monitor individuals’ communications and movements. In a region where political tensions run high, such detailed data could be exploited for intelligence purposes – some even speculated about it being used to track high-profile targets alestiklal.net. While the notion of targeting individuals may be speculative, the privacy invasion is indisputable: every user with this bloatware is having their phone effectively report home with personal data.

Unremovable Bloatware and User Impact

Deep OS Integration: A key concern is that AppCloud is deeply integrated into the phone’s operating system, making it extremely difficult for the average user to eliminate smex.org smex.org. Unlike a normal app that you can uninstall, this one is baked into the firmware by Samsung. Attempts to remove it without specialized tools are futile.

  • No Uninstall Option: AppCloud doesn’t present an “Uninstall” button in the Apps settings, and it’s often hidden from the main launcher menu smex.org smex.org. Samsung effectively locked it in as a system app.
  • Persistent After Updates: Even if tech-savvy users manage to disable or remove parts of it, system updates will reinstall or reactivate AppCloud. Users have reported that after a firmware update, AppCloud/Aura returns or re-enables itself, undoing any previous removal attempts smex.org smex.org. Samsung’s own community forum had posts as early as August 2023 from puzzled users asking “How can I remove AppCloud?”, noting that it **“cannot be deleted… it WILL pop up reliably after each and every system update”*alestiklal.net.

Impact on Users: Beyond the obvious privacy invasion, there are other practical impacts on users:

    • Resource Usage: As bloatware, AppCloud consumes device resources (storage, memory, data bandwidth). It may download apps or content in the background (via Aura) that clutter the device and use up space/databusiness-standard.com business-standard.com. This can degrade performance and user experience, especially on budget devices with limited storage.
    • Security Risks: Having an unremovable background service with broad access is a security risk. If vulnerabilities exist in AppCloud/Aura, they could be exploited by third parties to compromise the device. Moreover, attempts to remove it via rooting can themselves expose the phone to additional security issues or void important security features sunnafiles.com.
    • No User Control: Users cannot restrict what AppCloud accesses. Since it’s a system-level app, it likely has been granted a suite of permissions by default. There is no straightforward way to revoke its permissions or stop its background data collection short of disabling it entirely (which, as noted, is temporary) smex.org. This lack of control is frustrating and anxiety-inducing for privacy-conscious owners – essentially, their phone is doing something against their will.

Legal and Geopolitical Concerns

The AppCloud saga has a unique dimension in MENA due to the origin of the software. ironSource, the developer of AppCloud/Aura, is an Israeli-founded tech firm, which introduces both legal and ethical issues in this region smex.org smex.org.

Violation of Local Laws: Many countries in the Middle East prohibit or restrict business dealings with Israeli companies for political reasons. For example, Lebanon has laws banning Israeli products and services (the Lebanese Anti-Israel Boycott Law of 1955)smex.org smex.org. By covertly embedding an Israeli-made application on phones sold in Lebanon and other Arab countries, Samsung may be causing unwitting consumers to violate their own country’s laws. At minimum, this affiliation is legally problematic in several markets. It is unprecedented for a major global brand to distribute Israeli-linked software in countries where such links are explicitly outlawed.

Data Protection Violations: Beyond geopolitics, there’s the issue of data protection law. No consent was obtained for AppCloud’s data collection, nor were users informed – a direct violation of basic privacy regulations. In the EU this would flout the GDPR, which requires informed consent for personal data processing smex.org. Likewise, a number of MENA countries have introduced data protection laws in recent years (e.g. Egypt’s data privacy law 2020, the UAE’s PDPL, Saudi Arabia’s PDPL) that mandate clear user consent and transparency smex.org. Samsung’s forced installation of a data-harvesting app “directly violates… GDPR and breaches multiple national privacy laws across the Middle East and North Africa,” as SMEX warned sunnafiles.com sunnafiles.com. If regulators were to investigate, Samsung could face legal penalties or bans for such practices.

Samsung’s Opaque Practices: Samsung’s terms of service do mention that third-party applications may be included on their devices, but nowhere do they specifically mention AppCloud or ironSource smex.org. This lack of disclosure is a transparency failure. Consumers buying a Samsung phone in good faith had no chance to know that an Israeli-origin app with deep access would be on their device. No official statement or detailed explanation was provided by Samsung to MENA customers about this partnership. The continued secrecy has prompted groups like SMEX to demand answers – they even published an open letter in May 2025 calling on Samsung to explain why AppCloud was pre-installed, what data it collects, and to provide a way for users to opt out smex.org. So far, Samsung has not issued a satisfying public response, leaving users and rights advocates in the dark.

Espionage Fears: Given the historical context, the presence of an Israeli-linked app in millions of Arab users’ phones has raised espionage and security concerns. SMEX’s open letter explicitly frames this issue amid “Israel’s espionage campaigns in the region”, urging vigilance smex.org. The Al-Estiklal report went further, suggesting that data from AppCloud could potentially facilitate surveillance or even targeting of individuals (for example, tracking political figures or activists)alestiklal.net. While Samsung and ironSource advertise Aura as a marketing and user engagement tool, the sensitive data it quietly extracts (location, device biometrics, etc.) could be repurposed for intelligence. This is especially worrisome in conflict zones or authoritarian environments, where such data falling into the wrong hands can put lives at risk. The mere possibility that a smartphone manufacturer might be involuntarily aiding foreign surveillance has understandably caused public outcry in countries like Lebanon alestiklal.net alestiklal.net. Critics also note a troubling pattern: this is not the first time Israeli tech has been found covertly infiltrating Arab communication systems (earlier incidents involved tampered hardware like pagers and communication gear)alestiklal.net alestiklal.net. The Samsung AppCloud case appears to be a high-tech extension of those tactics, leveraging commercial devices to achieve strategic data access.

What Can Users Do?

For users who discover “AppCloud” listed in their Samsung’s app settings, it can be quite disconcerting. Checking your device: If you have a Samsung Galaxy A-series or M-series phone bought in the MENA region (since 2022), go to Settings > Apps and scroll through the system apps to see if AppCloud is present. It may not have a regular icon, but it should appear in the apps list.

Disabling AppCloud: While you cannot uninstall AppCloud in the usual way, you can disable it via settings as a temporary mitigation. From Settings > Apps > AppCloud, you can tap “Disable” to stop it from running smex.org. This should prevent it from actively harvesting data or installing Aura content in the background (at least until the next system update). Keep in mind, however, that disabling does not remove the app, and Samsung may re-enable or reinstall it when the phone updates smex.org. It’s important to re-check after any software update to ensure it hasn’t been reactivated.

Complete Removal – Advanced Methods: Unfortunately, truly removing AppCloud requires advanced technical steps:

  • Using ADB (Android Debug Bridge): Tech-savvy users can connect the phone to a computer and use developer tools (ADB commands) to uninstall or “freeze” the AppCloud package. This approach requires enabling Developer Options on the phone and running command-line instructions. It can remove the app without rooting in some cases, but it’s non-trivial and beyond the comfort zone of typical users.
  • Rooting the Device: The surest method is to obtain root access (administrator-level control) on the phone, which then allows deletion of system apps like AppCloud smex.org. However, rooting comes with significant drawbacks: it voids your device warranty, may disable official updates, and can expose your phone to security vulnerabilities if not done carefully. For most users, rooting is not recommended unless you fully understand the risks.

 

Staying Safe: If you choose not to (or cannot) remove AppCloud, you can still take steps to limit its data collection:

  • Restrict background data: In Settings > Apps > AppCloud, you might be able to restrict its background data access (depending on Android version). This can at least prevent it from using mobile data freely.
  • Limit permissions: Check if AppCloud or Aura appear in the Permission Manager (under Privacy settings). If so, revoke any unnecessary permissions (e.g. location, if it somehow has it). On some devices, system apps might not show up here, but it’s worth a look.
  • Use a firewall/VPN: Android firewall apps or VPNs with filtering can block AppCloud from communicating with its servers, mitigating data exfiltration. This again is a technical solution requiring additional apps (and some firewalls need root), but a non-root option is to use a VPN that allows custom DNS or IP blocking.

 

Ultimately, these are workarounds. The average user shouldn’t have to jump through such hoops to protect their privacy on a new phone.

Samsung’s Accountability and Conclusion

It remains unclear why Samsung implemented such a feature specifically in the MENA region. The official line from Samsung and ironSource is that it’s about enhancing user experience with personalized content nasdaq.com nasdaq.com. In reality, it appears to be a data monetization strategy at best, and a negligent security risk at worst. Samsung may have calculated that users in these markets would be less likely to push back or that regulators are less stringent – a troubling double standard if true. Critics point out that targeting predominantly Arab and Muslim countries for this invasive bloatware was a “deeply political” choice sunnafiles.com, possibly exploiting a region with weaker oversight or seen as strategically valuable for intelligence.

Digital rights organizations are demanding answers. SMEX, the Beirut-based digital rights NGO that uncovered much of this, has called on Samsung to come clean. They urge Samsung to “fully disclose its data collection practices related to AppCloud” and to provide an easy way for users to opt-out or remove it sunnafiles.com smex.org. They also stress that Samsung should ensure any such removal will not affect device functionality or warranty smex.org. As of mid-2025, no adequate response from Samsung has been reported in the public domain. Users are left with either living with the spyware or taking matters into their own hands technically.

In conclusion, if you own a Samsung A or M series phone in the Middle East/North Africa, it’s crucial to check for the presence of AppCloud on your device. This is not just a harmless piece of carrier bloatware – it is a serious threat to your privacy and potentially your personal security. Without your consent, it can siphon off private data to external servers, with unknown end uses. The fact that it’s tied to an Israeli company operating in a sensitive region only amplifies concerns, given the backdrop of cyber-espionage in the area smex.org. Until Samsung acts to remedy the situation, users should remain vigilant. Take steps to disable the service, advocate for your rights to privacy, and spread awareness. Your smartphone should be under your control not a tool for clandestine data collection.

Sources:

  • SMEX (Social Media Exchange) – Open Letter to Samsung: End Forced Israeli-Founded Bloatware Installations in the WANA Region smex.org (May 2025).
  • SMEX – Invasive Israeli-founded bloatware is harvesting data from Samsung users in WANA smex.org (Ryan Yunis, 2024).
  • Nasdaq News – ironSource Expands Samsung Partnership, Launching on Samsung Mobile Devices in MENA nasdaq.com (Press release, Nov 3, 2022).
  • Al-Estiklal (International) – “Samsung’s ‘Aura’: Israeli Spyware in Your Pocket”alestiklal.net(Dec 2024).
  • Sunna Files – “Samsung Pre-Installs Israeli Spyware App on A & M Devices—Users Unable to Delete”sunnafiles.com (May 30, 2025).
  • Business Standard (India) – “How-to stop ironSource from installing apps on Samsung phones”business-standard.com (Jul 2021).