Two popular Android apps from Chinese company Baidu—Baidu Maps and Baidu Search Box were found collecting sensitive user data and has been removed from the Google Play Store last month.
The two apps were collecting device identifiers, such as the International Mobile Subscriber Identity (IMSI) number or MAC address without the knowledge of the user making them potentially trackable online.
The issue was discovered by network security firm Palo Alto Networks and they have notified both Baidu and Google of their findings, following which the apps were removed on October 28, citing “unspecified violations.”
Both apps had more than 6 million downloads combined before being removed.
A compliant version of Baidu Search Box was restored to the Play Store on November 19, while Baidu Maps remains unavailable until the unresolved issues highlighted by Google are fixed.
The full list of data collected by the apps as mentioned by the researchers include Phone model, Screen resolution, Phone MAC address, Carrier (Telecom Provider), Network (Wi-Fi, 2G, 3G, 4G, 5G), Android ID, IMSI number and International Mobile Equipment Identity (IMEI) number.
By using a machine learning-based algorithm used to find anomalous spyware traffic, the origin of the data leak was traced to Baidu’s Push SDK as well as ShareSDK from the Chinese vendor MobTech.
MobTech supports 37,500 apps, including more than 40 social media platforms.
Google has taken several measures to secure the Play store, but still threat actors find ways to infiltrate the app marketplace and leverage the platform for profits.
It is believed that Play Store is the primary source of malware installs on Android devices. The Play market defenses against unwanted apps, but still large number of unwanted apps are able to bypass them, making it the main distribution vector for unwanted apps.