Google Removed Two Baidu Android Apps Collecting Users’ Sensitive Data From Play Store – One Restored Recently

Recently, Google had to remove two Baidu Android apps that researchers found collecting sensitive user data. Baidu, however, has denied any link between the removal of the apps and the researchers’ claims. One of the apps even re-appeared on the Play Store lately.

Two Baidu Android Apps Collecting Users’ Data

Researchers from Palo Alto Networks’ Unit 42 division have shared a report about their findings regarding apps collecting user information.

Briefly, they observed two Android Baidu apps – Baidu Maps and Baidu Search Box – collecting users’ sensitive data.

Some of the data the apps obtained from users included the device model, screen resolution, telecom provider, network, and identifiers like MAC address, Android ID, IMSI (International Mobile Subscriber Identity), and IMEI (International Mobile Equipment Identity).

Such data collection exposes users to further cybersecurity risk and continuous tracking in the future, according to the researchers. Describing the risks associated with the misuse of such sensitive data, the researchers stated,

Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices…
Data such as the IMSI or the IMEI are desirable for cybercriminals, who can use methods such as active and passive IMSI catchers to overhear this information from cell phone users. Once this data is acquired, cybercriminals can profile users and further extract sensitive information about them…
This data can also be misused by cybercriminals or state actors to violate a user’s privacy and take advantage of the leaked information to intercept phone calls or text messages. Users can be put further at risk if cybercriminals or state actors intercept messages that transfer information in plain text or with weak encryption.

Google Initially Suspended Baidu Apps; Baidu Search Box Restored

Following the researchers’ report, Google investigated the matter and found numerous policy violations by the apps. Hence, Google removed Baidu Maps and Baidu Search Box from the Play Store.

However, Baidu Search Box reappeared on Play Store after complying with Google’s policies.

In a statement to Latest Hacking News, a Baidu official has elaborated that the removal of the apps from the Play Store had no link with Unit 42’s findings. Besides, the information they collect from the users is only used for authorization purposes, as disclosed in their privacy agreement.

Baidu App (or referred as “Baidu Search Box” in the report) and Baidu Maps were not removed from the Google Play store for the findings in this research. Baidu App has returned to the Play Store as of November 19. Similar to Baidu App, we’re working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December.
The referenced information requested by Baidu App was used to enable push functionality, as disclosed in the privacy agreement. Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research.

Other Apps Collecting Data Similarly

Besides the two Baidu apps, the researchers also observed similar behavior with another app Homestyler – Interior Design & Decorating Ideas. This app also collects private data and is still live on the Play Store.

Also, they observed the abuse of Baidu Push SDK and Mobtech’s ShareSDK by malicious Android apps to collect similar data.

To prevent safety breaches, researchers advise all Android developers to comply with Android best practices to manage user data. Whereas, the users must also carefully review the details an app asks to record or access before granting permissions.

Updated to add comment from Baidu that LHN received after the publication of this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients