Researchers report that Chinese-made Android apps collect important user information, risk of malware abuse



Is a Chinese high-tech giant

Baidu to two Android apps made by, that it contains the code to collect sensitive information about the user, cyber security companies, based in Santa Clara, California, Palo Alto Networks of It was revealed in a report of ' Unit 42 ', a global threat intelligence team. In response to this report, Google conducted an investigation and removed two apps from Google Play on October 28, 2020.

Data Leakage Found From Android Apps on Google Play With Millions of Downloads
https://unit42.paloaltonetworks.com/android-apps-data-leakage/

Baidu Mobile Apps in Google Play Leak Sensitive Data | Threatpost
https://threatpost.com/baidu-apps-google-play-data/161556/

Baidu's Android apps caught collecting sensitive user details | ZDNet
https://www.zdnet.com/article/baidus-android-apps-caught-collecting-sensitive-user-details/

It's a common problem for mobile apps to collect data and leak it to the outside world, but the leaked data can compromise user privacy and be used to attack cybercriminals. Unit 42 researchers Stefan Achleitner and Chengcheng Xu have conducted a survey using a machine learning-based spyware detection system, and there are multiple Android apps on Google Play that could leak important data. He said he found out.

Android apps that could leak data reported by researchers included Baidu Search Box, a Baidu search app, and Baidu Maps, a map app. These apps have been downloaded more than 6 million times in total, and it is reported that the app also collected important information that can be kept tracked even if the user changes devices.



Information that Android apps often collect is 'mobile phone model,' 'screen resolution,' 'mobile phone

MAC address, ' 'communication carrier,' 'network (Wi-F, 2G, 3G, 4G, 5G),' and ' Android. These include ID,International Mobile Subscriber Identity (IMSI), and International Mobile Equipment Identity (IMEI) .

Of these, the screen resolution is almost harmless even if it is known to cyber criminals, but there are various types such as IMSI, which is a unique identification number assigned to mobile phone users, and IMEI, which is an identification number assigned to mobile phones and satellite phones. There are many uses.

For example, the IMSI, which is generally associated with a SIM card, allows users to be identified and tracked even if the device is changed and the phone number is reacquired. You can also use IMEI to report to your provider that your phone has been stolen and disable your mobile phone to block access to your network. Since this information is of great benefit to cyber criminals, it is trying to steal it by various methods.

Google's 'Best Practices for Unique Identifiers' for Android app developers also emphasizes the confidentiality of unique identifiers such as the IMSI and IMEI, so if you need an identifier, use another one. Recommended.

Best Practices for Unique Identifiers | Android Developers | Android Developers
https://developer.android.com/training/articles/user-data-ids



However, when Unit 42 researchers investigated Android apps on Google Play with a spyware detection system, it was important to include IMSI and MAC addresses in the software development kit (SDK) for push notifications used in Baidu Search Box and Baidu Maps. The code to collect various user data was discovered. Researchers have found that other apps, such as Homestyler, which can place 3D interiors, have similar problems.

The fact that the app collects this information does not violate the Android app policy, it is only 'deprecated', but researchers have raised this issue to Baidu and Google's Android. I notified the team. After that, Google conducted further research on the Hyakudo app and removed the two apps on October 28, 2020, alleging that it found a violation other than the one reported by the researchers.

A spokeswoman for Hyakudo said that although a report from Unit 42 triggered a Google investigation, the user data collection itself had been done for some time with Google's permission, and the reason why the app was removed this time. Explained that it has nothing to do with. Baidu is working to fix the issue in the app, and the Baidu Search Box was re-released on November 19th with a fixed version. Baidu Maps will also fix the problem pointed out by Google and re-release it in the future.

If the data collected by the app is used only for sound purposes and is not leaked to the outside, it will not be a serious problem. However, when researchers analyzed Android malware, it was found that some malware abused the SDK used in Baidu Search Box and Baidu Maps and was used to extract and send device data. Even apps developed for legitimate purposes can be exploited by malicious cybercriminals if there is a security issue, so Android app developers follow Google's recommended best practices for data. Researchers insisted that it should be collected correctly.



in Mobile,   Software,   Security, Posted by log1h_ik