Two Banned Baidu Apps Have Been Spying On Millions Of Android Users

Baidu surveillance

One of the gifts given by the mobile internet, is having the ability to track people.

In marketing perspective, this is a huge advantage, given that marketers are profile their customers and potential consumers to target with their campaigns. But when tracking goes beyond necessary, an alarm should be raised.

And things should go on an alert if the sensitive data is leaking.

Security researchers from Unit 42, the global threat intelligence team at Palo Alto Networks, have discovered that two apps from Chinese internet giant Baidu have been tracking user, and gather more details than necessary.

The two hugely popular apps that are affected, are Baidu Search Box and Baidu Maps, which have collectively been downloaded by more than six million times in the U.S. alone, with tens or hundreds of millions more globally.

According to researchers, a Baidu software development kit (SDK) called 'Baidu Push' on the two apps was found to be sending sensitive data to a Chinese server, including the user's phone model, the IMSI number, and MAC address.

What makes it concerning here is Baidu in tracking users' IMSI and IMEI, meaning that Baidu can identify and track a user, even when they change phones.

Android function extracting IMSI number from Baidu Maps
Android function extracting IMSI number from Baidu Maps v10.24.8. (Credit: Palo Alto Networks)

The IMSI, for instance, is the number given by a cellular carrier to uniquely identify its subscriber. This number identifies the subscribers through their connection to a cellular network, and is typically associated with a phone’s SIM card.

Assuming that the consumers are still using the same SIM card, Baidu that collects IMSI number, can track those people even if they change their device. Assuming that users don't change their phone number, Baidu could track users indefinitely.

Collecting this data has serious consequences because If hackers get a hold of these, they can deploy IMSI catchers to listen on information from victims.

Unit 42 looked at other SDK called the 'ShareSDK', which has been associated with Android malware and data leakages, and found similar behavior being displayed by the Baidu apps.

“Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices. For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user,” the researchers wrote on their report.

“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy. Detection of such behavior is vital in order to protect the privacy rights of mobile users.”

Largest Android apps analyzed by Unit 42 that collect private information, in order by the number of downloads in Google Play in the U.S.
Largest Android apps analyzed by Unit 42 that collect private information, in order by the number of downloads in Google Play in the U.S.. (Credit: Palo Alto Networks)

The disclosure of the data breach by Unit 42 led to both Baidu Search Box and Baidu Maps being removed from Google Play globally on October 28.

An altered version of Baidu Search Box returned to the app store after being updated on November 19, while Baidu Maps remains unavailable at this time.

“While not a definitive violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide.” said Stefan Achleitner and Chengcheng Xu, two Palo Alto Networks researchers, explained.

“Unit 42 notified Baidu of this discovery. We also reported our findings to Google’s Android team. After a detailed analysis of the reported applications, Google confirmed our findings and identified unspecified violations in the reported Baidu applications.”

For its part, Baidu disputed the suggestion that Palo Alto Networks’ research led to the Google ban.

“We’re working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December,” a Baidu spokesperson said.

The Chinese company said that the data was being grabbed “to enable Push functionality, as disclosed in the privacy agreement. Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users. The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research.”

The company didn't responded to further questions on why the apps were banned in the first place.