Two apps belonging to Chinese tech giant Baidu, Baidu Maps and Baidu Search Box, have been removed from the Google Play Store at the end of October after they’ve been caught collecting sensitive user details.
The two apps were discovered by Palo Alto Networks, which identify them, along with other apps leaking data, using a machine learning (ML)-based spyware detection system.
The two apps had a total of more than 6 million downloads at the time of their discovery. The code found in both apps allowed to gather device data, including model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
Experts pointed out that while some of the collected information is “rather harmless,” data like the IMSI code can be potentially used to carry out malicious activities such as SIM Swapping attacks and surveillance.
“While not a definitive violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide. Unit 42 notified Baidu of this discovery. Unit 42 also notified Google’s Android team, who confirmed the findings, identified unspecified violations and removed the applications from Google Play globally on Oct. 28, 2020.” reads the post published by Palo Alto Networks. “A compliant version of Baidu Search Box became available on Google Play globally on Nov. 19, 2020, while Baidu Maps remains unavailable globally.”
While the collection of such kind of data is not forbidden by Google’s policy for Android apps, this practice is discouraged by the IT giant. Anyway, Google removed the apps after having identified unspecified violations.
At the time of this writing, Baidu has uploaded a new version of the Baidu Search Box app to the Play Store, the new release doesn’t includes the data collection code.
Palo Alto Networks also identified similar data collection code in another SDK from another company, the ShareSDK developed by Chinese ad tech giant MobTech.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy. Detection of such behavior is vital in order to protect the privacy rights of mobile users.” concludes the post.
(SecurityAffairs – hacking, Android)