Baidu apps in Google Play Store left users vulnerable to tracking

A pair of Baidu applications on the Google Play Store were recently leaking users’ sensitive data that could be used to track users’ location, according to Palo Alto Networks’ Unit 42 research published Tuesday.

Through reverse-engineering, the researchers at Unit 42, the research arm at Palo Alto Networks, found that both the Baidu Search Box and Baidu Maps applications used a software development kit (SDK) that would collect users’ MAC address, carrier information and international mobile subscriber identity (IMSI) number.

It’s the kind of data that, if it were to fall into the wrong hands, could be used to stalk, monitor, or even harass an individual. IMSI numbers, for instance, could allow cybercriminals or state-linked actors to track someone, even if they switch to a new device, as IMSI numbers can be used to uniquely identify a user. Snoops using IMSI catchers, which imitate cell towers to capture a user’s location, have been known to do just that. MAC addresses survive factory resets and can’t be reset by users. For privacy reasons, Android application developers are advised against working with MAC addresses.

“The concern with it is it was exposing things that are specific just to an individual phone itself,” said Jen Miller-Osborn, Unit 42’s deputy director of threat intelligence. “Best practices are typically for apps to not collect that because at that level you can basically track the person.”

The applications left approximately 6 million users in the U.S. vulnerable, as they had been downloaded a combined 6 million times in the U.S., researchers said in their findings.

Beijing-based Baidu is one of China’s most visible technology firms, recognized for its search services and ongoing work on artificial intelligence. The company did not immediately return a request for comment.

Google removed the applications from the Play Store in late October to remedy the issues. One of the applications, Baidu Search Box, now has a globally compliant version that is available in the store, while Baidu Maps is not yet available, according to Unit 42. Google confirmed the findings, according to Unit 42.

The incident is a reminder that just because an application is available in an official app marketplace, it doesn’t it will protect user data, Miller-Osborn says. Researchers have a long history of discovering nefarious behaviors from mobile apps, including the spread of malicious software, theft of user credentials and enlisting their device in expensive subscription services.

“The users aren’t going to be aware that this data is leaking — there’s nothing they can see from their device itself to know that one of their apps is collecting this data in the background and sending it back,” she said. “But it’s something that users should really just be aware of. When they’re downloading things we feel like it should be called out a little more explicitly that that kind of data is being collected.”


Are you Citizen-Journalist Material?

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270


Receive Exclusives, Features & News Updates

Subscribe



What Are
Geo-Poli-
Cyber™ Risks?

What Is Geo-Poli-Cyber™?

MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ (GPC™) in 2012 and 2013 based on the philosophy that if you cannot identify and name the threat, you cannot mitigate that threat.

Geo-Poli-Cyber™ attacks are political, ideological, terrorist, extremist, ‘religious’, and/or geo-politically motivated.

More Sinister Than Financial Motivations

Geo-Poli-Cyber™ attacks are significantly different from financially motivated cyber-attacks in damage, scale, magnitude as well as in risk mitigation strategies and solutions.

Click to read more