A pair of Baidu applications on the Google Play Store were recently leaking users’ sensitive data that could be used to track users’ location, according to Palo Alto Networks’ Unit 42 research published Tuesday.
Through reverse-engineering, the researchers at Unit 42, the research arm at Palo Alto Networks, found that both the Baidu Search Box and Baidu Maps applications used a software development kit (SDK) that would collect users’ MAC address, carrier information and international mobile subscriber identity (IMSI) number.
It’s the kind of data that, if it were to fall into the wrong hands, could be used to stalk, monitor, or even harass an individual. IMSI numbers, for instance, could allow cybercriminals or state-linked actors to track someone, even if they switch to a new device, as IMSI numbers can be used to uniquely identify a user. Snoops using IMSI catchers, which imitate cell towers to capture a user’s location, have been known to do just that. MAC addresses survive factory resets and can’t be reset by users. For privacy reasons, Android application developers are advised against working with MAC addresses.
“The concern with it is it was exposing things that are specific just to an individual phone itself,” said Jen Miller-Osborn, Unit 42’s deputy director of threat intelligence. “Best practices are typically for apps to not collect that because at that level you can basically track the person.”
The applications left approximately 6 million users in the U.S. vulnerable, as they had been downloaded a combined 6 million times in the U.S., researchers said in their findings.
Beijing-based Baidu is one of China’s most visible technology firms, recognized for its search services and ongoing work on artificial intelligence. A company spokesperson said in a statement, “Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users.”
Google removed the applications from the Play Store in late October to address violations the company found after Unit 42 reached out. One of the applications, Baidu Search Box, now has a globally compliant version that is available in the store, while Baidu Maps is not yet available, according to Unit 42. Google confirmed the findings, according to Unit 42.
The incident is a reminder that just because an application is available in an official app marketplace, it doesn’t mean it will protect user data, Miller-Osborn says. Researchers have a long history of discovering nefarious behaviors from mobile apps, including the spread of malicious software, theft of user credentials and enlisting their device in expensive subscription services.
“The users aren’t going to be aware that this data is leaking — there’s nothing they can see from their device itself to know that one of their apps is collecting this data in the background and sending it back,” she said. “But it’s something that users should really just be aware of. When they’re downloading things we feel like it should be called out a little more explicitly that that kind of data is being collected.”
Clarification, 11/25/20: This article has been updated to clarify why the applications were removed from the Google Play Store, based on information made available to CyberScoop after initial publication.