Palo Alto Network researchers discovered that apps from the Chinese tech company Baidu were leaking sensitive data that could allow lifetime user tracking. Unit 42 researchers used machine learning-based threat detection mechanisms to discover the apps implicated in the sensitive data leak.
Americans have downloaded the apps more than 6 million times from Google Play Store. About 1.4 billion people worldwide were affected by the data leak, according to a Unit 42’s estimate. The researchers only checked the Google Play store version and believed that all other stores were affected.
Apps implicated in the Android data leak
Unit 42 researchers found that Baidu Search Box and Baidu Maps leaked sensitive data that could be used for cross-device lifetime user tracking. Google removed the risky apps from the Play Store on October 28 after receiving the report.
However, Baidu uploaded a new version of Baidu Search Box or Baidu App, while Baidu Maps remained unavailable on Google’s app store at the moment.
Other apps implicated in the data leak include the interior decoration app Homestyler. ShareSDK belonging to a Chinese company MobTech was also reported.
The app is the largest Chinese developer platform allowing social media account managers to collect user information. It supports more than 40 social media platforms and is used in more than 37,500 applications.
User tracking data leaked by Baidu apps
While the researchers could not establish whether the data leak was malicious intent or a design error, they confirmed that the data could allow user tracking.
The report authors indicated that Baidu apps leaked sensitive information, including the phone’s MAC address, International Mobile Subscriber Identity (IMSI) number, and carrier information.
Mobile network operators use the IMSI number associated with a SIM card to identify a subscriber within their cellular network.
Effective mobile device-based user tracking could be carried out using the device’s MAC address and IMSI number.
Additionally, they could track phone users after changing a mobile device if they retained the same sim card. According to the researchers, cross-device user tracking could allow an attacker to track the victims over their entire lifetime.
Other non-compliant Android apps also leaked the International Mobile Equipment Identity (IMEI) number, Android ID, carrier information, phone model, screen resolution, and network type, for example, Wi-Fi, 3G, 4G, etc.
Although leaking some of the data, such as screen resolution, was harmless, exposing the IMEI number was more concerning. The IMEI number is used in Identifying and tracking a device and could allow an attacker to report the device as stolen and have it blocked.
To avoid user tracking, Google discourages collecting mobile devices’ unique identifiers such as MAC addresses and IMSI. An attacker could use active and passive IMSI catcher tools to profile devices and intercept text messages and phone calls.
Baidu denies leaking data and user tracking
Baidu spokesman said that the information requested by Baidu Search Box was to enable the Push functionality. He denied that Baidu App and Baidu Maps were removed from Google Play Store because of user tracking.
He added that the data collection process was disclosed in the Apps’ privacy agreement accepted by the users.
“Baidu App and Baidu Maps were not removed from the Google Play store for the findings in this research. Baidu App has returned to the Play Store as of November 19. Similar to Baidu App, we are working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December.”
However, Google investigated the apps and found additional undisclosed violations before removing them.
Despite Baidu’s claims of obtaining consent, many users do not understand the implications of granting access permissions to sensitive data. Most users also do not understand user tracking or if the apps being involved in the data leak.
Palo Alto Networks pointed out that the Android SDK data leak was a severe violation of users’ privacy.