Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
Google Removes 2 Android Apps That Collected User DataPalo Alto Networks Discovers Problem in Baidu Apps
Google removed two Android apps made by a Chinese company from its Google Play store after security researchers found they were collecting and possibly leaking data that could have been used to track individuals, according to Palo Alto Networks' Unit 42.
The two apps, which were developed by Baidu, had more than 6 million combined downloads in the U.S., Unit 42 said in a report published Tuesday.
Baidu Search Box and Baidu Maps were among several apps in Google Play that Unit 42 researchers Stefan Achleitner and Chengcheng Xu discovered were collecting and leaking data, such as the user's unique International Mobile Equipment Identity. A threat actor could use this information to track a user’s movements and location, according to Unit 42.
The user data was being collected within the Baidu Push software developer kit, which was used with both the Baidu Search Box and Baidu Maps, Achleitner and Xu say.
Before publishing their findings this week, Achleitner and Xu notified Google, which removed the apps in late October, according to the report. Baidu was also informed.
"Unit 42 also notified Google’s Android team, who confirmed the findings, identified unspecified violations and removed the applications from Google Play globally on Oct. 28, 2020," according to the researchers
A compliant version of Baidu Search Box became available within Google Play globally on Nov. 19, 2020, while Baidu Maps remains unavailable globally, the Unit 42 report says.
A spokesperson for Baidu says that the data was only used to help with the functionality of the apps and the company is working with Google to ensure all policies are followed. "Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research," the spokesperson added.
In addition to the International Mobile Equipment Identity, Achleitner and Xu found the two apps collected the phone model, MAC address and carrier information. This could be used to help track a user, harvest other personal data or intercept phone calls and text messages.
"Android applications that collect data, such as the [International Mobile Subscriber Identity], are able to track users over the lifetime of multiple devices," the Unit 42 report states. "For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user."
Besides Baidu Push SDK, the Unit 42 team found other software development kits used to create Android apps that collect unusual amounts of personal data and information. They include ShareSDK, developed by Chinese vendor MobTech, which is used with more than 37,500 apps, according to the report.
While ShareSDK is designed to allow third-party app developers to easily access social media sharing and registration, it can also allow app developers to acquire users' information, friends lists and other social functions, Unit 42 says.
ShareSDK also collects a user's International Mobile Subscriber Identity and International Mobile Equipment Identity data, much like the Baidu SDK, according to the report.
"Analysis of Android malware shows that SDKs, such as the Baidu Push SDK or ShareSDK, are frequently used by malicious applications to extract and transmit device data," Achleitner and Xu say.