Baidu Android apps caught collecting sensitive user data
The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed.
According to the US security firm, the two apps contained code that collected information about each user’s phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is “rather harmless,” some data like the IMSI code “can be used to uniquely identify and track a user, even if that user switches to a different phone.”
The research team said that while the collection of personal user data is not specifically forbidden by Google’s policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and “identified [additional] unspecified violations” in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
At the time of writing, the Baidu Search Box app has been restored to the Play Store, but Palo Alto Networks said Baidu developers have removed the data collection code.
But in addition to the Baidu Push SDK, the Palo Alto Networks team said they also identified similar data collection code in the ShareSDK developed by Chinese ad tech giant MobTech.
Used by more than 37,500 apps, Achleitner and Xu say this SDK also allows app developers to collect data such as phone model information, screen resolution, MAC addresses, Android ID, Advertising ID, carrier info, and IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) codes.
“Analysis of Android malware shows that SDKs, such as the Baidu Push SDK or ShareSDK, are frequently used by malicious applications to extract and transmit device data,” Achleitner and Xu said, suggesting that while the SDKs may have been developed for legitimate purposes, such as pushing notifications and sharing content on social media, they are often abused by the developers of malicious apps.
All in all, this is a regular problem not only for the Android ecosystem, but for the entire online app world, with many apps collecting sensitive user data without restriction in the absence of legislation that specifically prohibits such practices.