Security researchers have discovered that two hugely popular apps made by Chinese internet giant Baidu have been leaking user details. The data breach (opens in new tab) affects Baidu Search Box and Baidu Maps, which have collectively been downloaded more than six million times in the US alone.
According to researchers from Unit 42, the global threat intelligence team at Palo Alto Networks (opens in new tab), a Baidu software development kit was found to be sending sensitive =data to a Chinese server, including the user's phone model, the IMSI number, and MAC address.
Although it may seem like a relatively innocuous piece of data, the IMSI number could enable a bad actor to track a user indefinitely.
- Check out our complete list of the best antivirus (opens in new tab) software
- We've put together a list of the best VPN (opens in new tab) solutions
- We've also highlighted the best China VPN (opens in new tab) available
“While not a definitive violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide.” Stefan Achleitner and Chengcheng Xu, two Palo Alto Networks researchers, explained (opens in new tab).
“Unit 42 notified Baidu of this discovery. We also reported our findings to Google’s Android team. After a detailed analysis of the reported applications, Google confirmed our findings and identified unspecified violations in the reported Baidu applications.”
Tracked for life
Because the IMSI number identifies an individual through their connection to a cellular network, it is typically associated with a phone’s SIM card. If a cyberattacker gets a hold of this number, it will remain useful to them even if an individual changes device – assuming the SIM card remains the same. Active and passive IMSI catchers can be deployed to listen in on information from phone users.
Unit 42 looked at Android malware associated with data leakages and found similar behavior to that being displayed by the Baidu apps, using SDKs to extract and transmit device data. The team also used machine learning tools to better identify when data was being spied upon.
The disclosure of the data breach by Unit 42 led to both Baidu Search Box and Baidu Maps being removed from Google Play globally on October 28. An altered version of Baidu Search Box was returned to the app store on November 19, while Baidu Maps remains unavailable.
- Also, check out our list of the best proxy service providers (opens in new tab)
Via Forbes (opens in new tab)