Report: Baidu Android apps had potential to expose data

Researchers at Unit42, a global threat intelligence team at Palo Alto Networks, have released research on two popular apps from Chinese tech giant Baidu. According to their blog post, Unit42 found that Baidu Maps and Baidu Search Box had the potential to leak the data of roughly 6 million customers (collectively, the apps have been downloaded 6 million times). Data leaks and malicious apps are nothing new for the Google Play Store, although this instance does not show malicious intent on Baidu’s part. Baidu disputes the findings in the research, saying in an email to TechGenix, “We haven’t exposed or leaked any user data” and that the Unit42 report “doesn’t offer enough evidence to prove that we leaked any info collected.”

As for the Unit42 report, it discovered as a part of a larger investigation into Google Play Store apps that Baidu Maps and Baidu Search Box were collecting IMEI and IMSI data. This is not illegal, but it is considered to be against Android’s best practices for unique identifiers. According to Unit42, the information collected by Baidu Maps and Baidu Search Box can be leveraged by cybercriminals and government spies to intercept communications and also collect sensitive data recorded on a user’s device.

Using a machine learning spyware detector, Unit42 was able to definitively prove that the IMEI and IMSI data collected by Baidu was being leaked. Their analysis is quoted in the following post excerpt:

To provide an example of data leakage, our ML-based spyware detection system identified the following message from the Android malware UmengAdware (SHA256: 49d7a7c4a2e6afe1feb3642f8aabe314f8c8fa156658e3f3bc0bf6926950d0c1), which was sent to a destination IP address in China (202[.]108.23.105) from an Android application executed in our malware sandbox, WildFire.

{“tiny_msghead”:1,”devinfolength”:167,”channel_token”:”036442386962228444241069682909576236472810696832741015194936″,”devinfo”:“tmAdvNNMC2M\/thyyYqqBnk0qDitAGWECdUbycugQvIMM3lvdew\/V0duYDaWD5edlacVoSVVZUp18\n6SokwTjUs96F8aARRh+IlGEF78CRFfHSJRC\/eSPHZglCMjrVcqmHKS0K+rJCh9Rh4kH5YqRskZVz\ncFIWOXlaRWRN3WCKPyBA1vpqa4ouNPzjSc5IzJBYNKjb6yKt6LRLosaaDlqar5rc12RDEA7micoU\nEDEnKWo=“,”tinyheart”:1,”period”:1800,”connect_version”:2,”channel_type”:3,”channel_id”:”3522064114212580475″}

The data of interest is in the devinfo field, as shown in the highlighted part of the message above. After in-depth research on the contents of the message and analyzing multiple Android applications, we identified Baidu’s Android push SDK as the source of the message.

Google and Baidu were notified of the potential for data leakage in late October. While both apps were pulled from the Google Play Store, Baidu said the apps “were not removed from the Google Play Store for the findings in this research,” adding, “We have worked to update Baidu App and Baidu Maps in accordance with Google’s guidelines and the two apps have already returned to Google Play Store.”

This article was updated with information from Baidu.

Featured image: Flickr/bfishadow

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

SonicWall warns users about zero-day vulnerabilities

SonicWall is warning of a coordinated zero-day attack on some of its remote access products.…

17 hours ago

Why Salesforce DevOps teams need version control

Version control is an essential part of software development. This is true especially for Salesforce…

22 hours ago

Irritating advances in technology and why we love to hate them

Technology makes lives much easier. Until it doesn’t. Here’s a look at some advances in…

4 days ago

Broken hearts: Interpol warns of investment fraud on dating apps

Forget catfishing: Investment fraud is the new scam in town for dating apps and their…

4 days ago

Microsoft Yammer content monitoring using keywords and match patterns

For many IT admins, one of their duties is to make sure no problematic content…

5 days ago

Software bug causes deletion of thousands of UK arrest records

Thousands of arrests records in the UK have been accidentally deleted from the British Police…

5 days ago