Two popular Android apps from Chinese tech giant Baidu were temporarily unavailable on the Google Play Store in October after they were caught collecting sensitive user details.
The two apps in question—Baidu Maps and Baidu Search Box—were found to collect device identifiers, such as the International Mobile Subscriber Identity (IMSI) number or MAC address, without users’ knowledge, thus making them potentially trackable online.
The discovery was made by network security firm Palo Alto Networks, who notified both Baidu and Google of their findings, after which the search company pulled the apps on October 28, citing “unspecified violations.”
As of writing, a compliant version of Baidu Search Box has been restored to the Play Store on November 19, while Baidu Maps remains unavailable until the unresolved issues highlighted by Google are fixed.
A separate app named Homestyler was also found to collect private information from users’ Android devices.
According to Palo Alto researchers, the full list of data collected by the apps include:
- Phone model
- Screen resolution
- Phone MAC address
- Carrier (Telecom Provider)
- Network (Wi-Fi, 2G, 3G, 4G, 5G)
- Android ID
- IMSI number
- International Mobile Equipment Identity (IMEI) number
Using a machine learning-based algorithm designed to detect anomalous spyware traffic, the origin of the data leak was traced to Baidu’s Push SDK as well as ShareSDK from the Chinese vendor MobTech, the latter of which supports 37,500 apps, including more than 40 social media platforms.
While Google has taken steps to secure the Play store and stop the malicious activity, bad actors are still finding ways to infiltrate the app marketplace and leverage the platform for their gain.
Indeed, an academic study published by researchers from NortonLifeLock earlier this month found the Play Store to be the primary source of malware installs (about 67.5%) on Android devices based on an analysis of app installations on 12 million handsets over a four-month period between June and September 2019, fueled in part due to the wide popularity of the platform.
However, its vector detection ratio — the ratio of unwanted apps installed through that vector overall apps installed through that vector — was found to be only 0.6% when compared to alternative third-party app stores (3.2%).
“Thus, the Play market defenses against unwanted apps work, but still significant amounts of unwanted apps are able to bypass them, making it the main distribution vector for unwanted apps,” the researchers said.
If anything, the incident is yet another reminder that no app, even if developed by a legitimate third-party, can be taken for granted.
This also means the usual safeguards such as scrutinizing app reviews, developer details, and the list of requested permissions may not offer enough protection, thus making it difficult to ascertain if a permission is misused by cybercriminals to steal private data.
“In mobile devices, it is typical to ask a user to grant a list of permissions upon installation of an application or to prompt a user to allow or deny a permission while the application is running,” Palo Alto researchers concluded.
“Disallowing permissions can often result in a non-working application, which leads to a bad user experience and might tempt a user to click on ‘allow’ just to be able to use an application. Even if a certain permission is granted, it is often up to the app developers whether it is used in accordance with the official guidelines.”