A Small Set of Android Apps Exposed the Data of Over 100 Million Users
Last updated September 25, 2021
The apps “Baidu Search Box” and “Baidu Maps” found themselves under the magnifying glass of Palo Alto ‘Unit42’ researchers and didn’t come out clean. Unfortunately, the researchers discovered that the two apps were leaking sensitive user data from the devices they were installed on.
The leak doesn’t appear to be a bug or misconfiguration. On the contrary, it’s a Baidu SDK that pushes the user data to a Chinese server, most likely owned by Baidu, a Beijing-based internet and AI company.
So, here’s what was logged by the two Baidu apps and sent to the Chinese server:
Some of the above (like the screen resolution, for example) are pretty innocuous, but others constitute a reason for worry. The IMSI is valuable when you want to track someone as it’s bound to the cellular service subscriber, while the IMEI is a unique identifier for the device itself.
One way to exploit the IMEI maliciously would be to report the phone as stolen to the telco and disable the device remotely. Call and SMS interception would also be possible, although more exploitation methods would be involved in these scenarios.
Similarly, the MAC address constitutes a persistent identifier that many people use in whitelists in office spaces, for instance. Android app developers pay great attention to the MAC address’s security, ensuring that their apps do not leak this information.
Apart from the two Baidu apps, which have a total of six million downloads by U.S. users through the Google Play Store, there’s also the “Homestyler – Interior Design & Decorating Ideas,” which also collects private information from the user’s device. This app has over five million installations in the U.S., and Google has not removed it from the Play Store yet. The other two are already gone, following the Unit42 report.
If you have these apps installed on your device, maybe you would like to reconsider using them. Also, the next time an app asks for the “read phone status and identity” permission on Android, it’s your Android ID, IMEI, and IMSI that it’s asking for. If this is not an app that has a good reason to ask for that data, do not grant permission, and better avoid using the app altogether.