Researchers at Unit42, a global threat intelligence team at Palo Alto Networks, have released research on two popular apps from Chinese tech giant Baidu. According to their blog post, Unit42 found that Baidu Maps and Baidu Search Box had the potential to leak the data of roughly 6 million customers (collectively, the apps have been downloaded 6 million times). Data leaks and malicious apps are nothing new for the Google Play Store, although this instance does not show malicious intent on Baidu’s part. Baidu disputes the findings in the research, saying in an email to TechGenix, “We haven’t exposed or leaked any user data” and that the Unit42 report “doesn’t offer enough evidence to prove that we leaked any info collected.”
As for the Unit42 report, it discovered as a part of a larger investigation into Google Play Store apps that Baidu Maps and Baidu Search Box were collecting IMEI and IMSI data. This is not illegal, but it is considered to be against Android’s best practices for unique identifiers. According to Unit42, the information collected by Baidu Maps and Baidu Search Box can be leveraged by cybercriminals and government spies to intercept communications and also collect sensitive data recorded on a user’s device.
Using a machine learning spyware detector, Unit42 was able to definitively prove that the IMEI and IMSI data collected by Baidu was being leaked. Their analysis is quoted in the following post excerpt:
To provide an example of data leakage, our ML-based spyware detection system identified the following message from the Android malware UmengAdware (SHA256: 49d7a7c4a2e6afe1feb3642f8aabe314f8c8fa156658e3f3bc0bf6926950d0c1), which was sent to a destination IP address in China (202[.]108.23.105) from an Android application executed in our malware sandbox, WildFire.
{“tiny_msghead”:1,”devinfolength”:167,”channel_token”:”036442386962228444241069682909576236472810696832741015194936″,”devinfo”:“tmAdvNNMC2M\/thyyYqqBnk0qDitAGWECdUbycugQvIMM3lvdew\/V0duYDaWD5edlacVoSVVZUp18\n6SokwTjUs96F8aARRh+IlGEF78CRFfHSJRC\/eSPHZglCMjrVcqmHKS0K+rJCh9Rh4kH5YqRskZVz\ncFIWOXlaRWRN3WCKPyBA1vpqa4ouNPzjSc5IzJBYNKjb6yKt6LRLosaaDlqar5rc12RDEA7micoU\nEDEnKWo=“,”tinyheart”:1,”period”:1800,”connect_version”:2,”channel_type”:3,”channel_id”:”3522064114212580475″}
The data of interest is in the devinfo field, as shown in the highlighted part of the message above. After in-depth research on the contents of the message and analyzing multiple Android applications, we identified Baidu’s Android push SDK as the source of the message.
Google and Baidu were notified of the potential for data leakage in late October. While both apps were pulled from the Google Play Store, Baidu said the apps “were not removed from the Google Play Store for the findings in this research,” adding, “We have worked to update Baidu App and Baidu Maps in accordance with Google’s guidelines and the two apps have already returned to Google Play Store.”
This article was updated with information from Baidu.
Featured image: Flickr/bfishadow
