Apple and Google removed ToTok, a chat app that has been downloaded millions of times by users worldwide, amid claims the app was a front for the government of the United Arab Emirates to spy on users.
Perhaps the most troubling part of it all is that there would have been no way for either company to detect any malicious intent from the app, which on the surface seems like an alternative to WhatsApp, according to one security expert.
“It’s virtually impossible to defend any commercial process against a determined and well-resourced nation state,” says Bob Rudis, chief data scientist at Rapid7.
App developers are required to go through a stringent review before their app is published in Apple’s App Store. Of the 100,000 apps Apple reviews each week, 40% are rejected, according to the company, with the main reasons being small bugs, followed by privacy concerns. Google also has controls for developers seeking to publish in Google Play, however the process is a bit more hands-off compared to the iPhone maker.
An Apple spokesperson confirmed ToTok had been removed from the App Store and tells Fortune that the company is “investigating” the situation.
A Google spokesperson tells Fortune that the company takes “reports of security and privacy violations seriously. If we find behavior that violates our policies, we take action.”
Emirati officials can allegedly use ToTok to monitor anyone’s conversations, locations, relationships, and shared media. Breej Holding, the publisher of ToTok, was linked to DarkMatter, an intelligence and hacking firm based in Abu Dhabi that the FBI is allegedly investigating for possible cyber crimes, according to a New York Times report published on Sunday.
The newspaper cited “American officials familiar with a classified intelligence assessment” and its own investigation into the app.
ToTok, not to be confused with the Chinese video app TikTok, filled a void in the United Arab Emirates by offering both video and text chat. Video calls on WhatsApp and Skype, which are both encrypted, are restricted in the country.
While the app has Abu Dhabi roots, it has been downloaded by users around the world. The Google Play Store listed more than five million downloads of the app before it was removed. App Annie, which tracks app downloads, said it was one of the most downloaded social apps in the U.S. last week.
The app’s popularity and its function, which earned mostly positive reviews in both app stores, made it a sort of Trojan Horse on millions of smartphones. It passed Apple’s review checklist, which included linking to a detailed privacy policy and disclosing what data it collects, how it uses it, and how long it is retained.
“Any application developer can code malicious intent into an application in such a way as to make it oblivious to reviewers and users,” says Rudis.
Simply put: There’s no need to pull off a complex hack on targets. Users are choosing to download the app and use it, without knowing that someone is keeping a close watch on their private messages.
In a blog post on Monday, ToTok says it is unavailable in both app stores due to a “technical issue.”
“While the existing ToTok users continue to enjoy our service without interruption, we would like to inform our new users that we are well engaged with Google and Apple to address the issue,” it said, without addressing allegations it has ties to the Emirati government and was being used to spy on users.
The company said the app is still available in Samsung, Huawei, Xiaomi, and Oppo app stores, and that it is working to deliver even more new features, including payments, news, shopping, and entertainment.
It’s certainly not the first time a seemingly benign app has raised concerns over possible government ties. The Russian FaceApp app, which allows people to use various filters to see what they might look like in old age and other ways to alter their appearances, went viral again in July. The Democratic National Committee urged campaigns not to use the app. Sen. Chuck Schumer also sent a letter to the FBI, which issued a conclusion earlier this month that the app was a “potential counterintelligence threat.”
FaceApp is still available to download.
More must-read stories from Fortune:
—7 companies founded in the last 10 years that you now can’t live without
—Electronic health records are creating a ‘new era’ of health care fraud
—2020 Crystal Ball: Predictions for the economy, politics, technology, etc.
—Can tech save the air travel industry from its delay problem?
—How to make sure your in-flight Wi-Fi isn’t terrible
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
