- Researchers uncovered what really goes on under the hood of two Baidu apps for Android.
- The apps are collecting sensitive user and device identification information and send it to a Chinese server.
- In total, the apps count six million installations on devices based in the United States.
The apps “Baidu Search Box” and “Baidu Maps” found themselves under the magnifying glass of Palo Alto ‘Unit42’ researchers and didn’t come out clean. Unfortunately, the researchers discovered that the two apps were leaking sensitive user data from the devices they were installed on.
The leak doesn’t appear to be a bug or misconfiguration. On the contrary, it’s a Baidu SDK that pushes the user data to a Chinese server, most likely owned by Baidu, a Beijing-based internet and AI company.
So, here’s what was logged by the two Baidu apps and sent to the Chinese server:
- Phone model
- Screen resolution
- Phone MAC address
- Carrier (Telecom Provider)
- Network (Wi-Fi, 2G, 3G, 4G, 5G)
- Android ID
- IMSI (International Mobile Subscriber Identity)
- IMEI (International Mobile Equipment Identity)
Some of the above (like the screen resolution, for example) are pretty innocuous, but others constitute a reason for worry. The IMSI is valuable when you want to track someone as it’s bound to the cellular service subscriber, while the IMEI is a unique identifier for the device itself.
One way to exploit the IMEI maliciously would be to report the phone as stolen to the telco and disable the device remotely. Call and SMS interception would also be possible, although more exploitation methods would be involved in these scenarios.
Similarly, the MAC address constitutes a persistent identifier that many people use in whitelists in office spaces, for instance. Android app developers pay great attention to the MAC address’s security, ensuring that their apps do not leak this information.
Apart from the two Baidu apps, which have a total of six million downloads by U.S. users through the Google Play Store, there’s also the “Homestyler – Interior Design & Decorating Ideas,” which also collects private information from the user’s device. This app has over five million installations in the U.S., and Google has not removed it from the Play Store yet. The other two are already gone, following the Unit42 report.
If you have these apps installed on your device, maybe you would like to reconsider using them. Also, the next time an app asks for the “read phone status and identity” permission on Android, it’s your Android ID, IMEI, and IMSI that it’s asking for. If this is not an app that has a good reason to ask for that data, do not grant permission, and better avoid using the app altogether.
26/11/2020 Update with Baidu’s comment:
Baidu App (or referred to as “Baidu Search Box” in the report) and Baidu Maps were not removed from the Google Play store for the findings in this research. Baidu App has returned to the Play Store as of November 19. Similar to Baidu App, we’re working on updating Baidu Maps in accordance with Google’s guidelines and expecting that the app will return to Google Play in early December.
The referenced information requested by Baidu App was used to enable push functionality, as disclosed in the privacy agreement. Baidu takes the privacy and security of its users very seriously, and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research.