11-26-2020 , 07:38 AM
https://www.forbes.com/sites/thomasbrews...f2e5071357 Warning: Banned Baidu Apps Exposed ‘Sensitive’ Data On Millions Of Android Phones
Thomas Brewster
Thomas BrewsterForbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance. Two apps developed by Chinese tech giant Baidu were leaking “sensitive” user data that potentially left millions of users open to surveillance or cybercrime, researchers claimed on Tuesday.
The two apps—Baidu Maps and the Baidu App—were thrown out of the Google Play store late last month, as Google thanked researchers for disclosing privacy issues in the software. Baidu App is back online after being updated, whilst Baidu Maps remains offline.
The apps have as many as 6 million users in the U.S. alone, with tens or hundreds of millions more globally. (A previous estimate from Palo Alto suggested as many as 1.4 billion had downloaded the apps, but later retracted that number). Researchers at Palo Alto Networks’ Unit42 claimed they were leaking data from phones that could’ve left anyone who downloaded the apps open to persistent surveillance. “The leaked data made users trackable, potentially over their lifetime,” they wrote in a report seen by Forbes ahead of publication. They only checked the version of the app that was downloadable over Google Play, but they believe it’s possible all versions from all global app stores could be affected.
The researchers found that a Baidu software development kit (SDK) called Push in the apps was sending “sensitive” user data to a Chinese server. The information included phone model, IMSI number and MAC address.
That data leakage might appear innocuous, but as noted by the Unit 42 researchers, IMSI and IMEI numbers can be used to identify and track a user, even when they change phones. The IMSI, for instance, is the number given by a cellular carrier to uniquely identify a subscriber. “Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices. For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user,” the researchers wrote.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy. Detection of such behavior is vital in order to protect the privacy rights of mobile users.”
There’s a potential risk of cybercrime for users, too, said Stefan Achleitner, principal researcher for Unit 42, as it might be possible to detect and redirect a call using the leaked information. “A financially motivated cybercriminal could redirect a phone call that a user makes to their bank and, pretending to be a bank representative, the cybercriminal could ask for the user’s bank information,” Achleitner told Forbes. “From there, the cybercriminal could access the user’s bank account and potentially steal their money.”
On and off Google Play
After Palo Alto informed Google of the problems last month, the researchers said the Mountain View, California, giant confirmed the findings and subsequently identified “additional violations” before removing the apps on October 28. Neither Google nor Palo Alto said what the additional violations were. Baidu App was back on Google Play on November 19 after being updated, but Baidu Maps remains barred.
Baidu disputed the suggestion that Palo Alto Networks’ research led to the Google ban. “We’re working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December,” a Baidu spokesperson said.
The Chinese company said that the data was being grabbed “to enable Push functionality, as disclosed in the privacy agreement. Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research.”
The company had not responded to further questions on why the apps were banned in the first place.
A Google spokesperson didn’t provide further detail, but added: “We appreciate the work of the research community, and companies like Palo Alto Networks, who work to strengthen the security of the Play Store. We look forward to collaborating with them on more research in the future.”
Earlier this year, another Chinese vendor, Xiaomi, was seen recording users’ Web browsing habits via its Android apps, even when they were operating in incognito mode.
Follow me on Twitter. Check out my website. Send me a secure tip.
Thomas Brewster
Thomas Brewster
Thomas BrewsterForbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance. Two apps developed by Chinese tech giant Baidu were leaking “sensitive” user data that potentially left millions of users open to surveillance or cybercrime, researchers claimed on Tuesday.
The two apps—Baidu Maps and the Baidu App—were thrown out of the Google Play store late last month, as Google thanked researchers for disclosing privacy issues in the software. Baidu App is back online after being updated, whilst Baidu Maps remains offline.
The apps have as many as 6 million users in the U.S. alone, with tens or hundreds of millions more globally. (A previous estimate from Palo Alto suggested as many as 1.4 billion had downloaded the apps, but later retracted that number). Researchers at Palo Alto Networks’ Unit42 claimed they were leaking data from phones that could’ve left anyone who downloaded the apps open to persistent surveillance. “The leaked data made users trackable, potentially over their lifetime,” they wrote in a report seen by Forbes ahead of publication. They only checked the version of the app that was downloadable over Google Play, but they believe it’s possible all versions from all global app stores could be affected.
The researchers found that a Baidu software development kit (SDK) called Push in the apps was sending “sensitive” user data to a Chinese server. The information included phone model, IMSI number and MAC address.
That data leakage might appear innocuous, but as noted by the Unit 42 researchers, IMSI and IMEI numbers can be used to identify and track a user, even when they change phones. The IMSI, for instance, is the number given by a cellular carrier to uniquely identify a subscriber. “Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices. For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user,” the researchers wrote.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy. Detection of such behavior is vital in order to protect the privacy rights of mobile users.”
There’s a potential risk of cybercrime for users, too, said Stefan Achleitner, principal researcher for Unit 42, as it might be possible to detect and redirect a call using the leaked information. “A financially motivated cybercriminal could redirect a phone call that a user makes to their bank and, pretending to be a bank representative, the cybercriminal could ask for the user’s bank information,” Achleitner told Forbes. “From there, the cybercriminal could access the user’s bank account and potentially steal their money.”
On and off Google Play
After Palo Alto informed Google of the problems last month, the researchers said the Mountain View, California, giant confirmed the findings and subsequently identified “additional violations” before removing the apps on October 28. Neither Google nor Palo Alto said what the additional violations were. Baidu App was back on Google Play on November 19 after being updated, but Baidu Maps remains barred.
Baidu disputed the suggestion that Palo Alto Networks’ research led to the Google ban. “We’re working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December,” a Baidu spokesperson said.
The Chinese company said that the data was being grabbed “to enable Push functionality, as disclosed in the privacy agreement. Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research.”
The company had not responded to further questions on why the apps were banned in the first place.
A Google spokesperson didn’t provide further detail, but added: “We appreciate the work of the research community, and companies like Palo Alto Networks, who work to strengthen the security of the Play Store. We look forward to collaborating with them on more research in the future.”
Earlier this year, another Chinese vendor, Xiaomi, was seen recording users’ Web browsing habits via its Android apps, even when they were operating in incognito mode.
Follow me on Twitter. Check out my website. Send me a secure tip.
Thomas Brewster