The two Baidu apps reveal ‘sensitive’ data on 1.4 billion Android phones

The researchers pointed to Baidu Maps and Baidu App, both of which were removed from Google Play last month after Google received the report.

Globally, both applications were downloaded 1.4 billion times in total. According to experts in the Unit42 division of Palo Alto Networks, they expose data on the phone that makes anyone download it at risk of surveillance. In the report, they write that the leaked data makes the user potentially tracked for life. The tested apps come from the Google Play source, but they believe all versions on other markets are affected.

The researchers discovered Baidu’s software development tool (SDK) in applications, secretly sending “sensitive” user data back to Chinese servers. Information includes the model, IMSI number and MAC address. The data plan seems harmless, but according to Unit42, the IMSI and IMEI codes are used to identify and track users, even when they change phones. For example, IMSI is the number that the telecom carrier assigns to a user to identify them as a subscriber.

“Data-gathering Android apps like IMSI can track users for life on multiple devices. For example, if a user changes the SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the application developer will identify that user, ”the report wrote. “The data leaked from Android apps and the SDK represents a serious violation of user privacy. Detecting such behavior is of utmost importance to protecting the privacy of mobile users “.

Users also face the risk of cybercriminals’ attacks, because it has the ability to detect and redirect calls thanks to exposed information, said Stefan Achleitner, chief researcher of Unit42. A hacker can redirect the call that a user is making to the bank to pretend to be a bank representative, asking for banking information. From here, they will access the user’s bank accounts and steal their money.

After Palo Alto notified Google of the problems last month, Google confirmed the discovery and removal of the two apps on October 28. Baidu App returned to Google Play on November 19 after the update, but Baidu Maps is still banned.

Baidu denies that Palo Alto Networks research resulted in their application being banned by Google. The Chinese company said it is updating Baidu Maps according to Google’s guidelines and hopes to bring the app to Google Play in early December.

Baidu insists that the collected data is used to enable the Push feature as outlined in the privacy agreement.

Earlier this year, another Chinese manufacturer, Xiaomi, was found to record users’ browsing habits via Android apps, even when they were using incognito mode.