Two popular Chinese apps by Baidu have reportedly been mining and leaking sensitive user details. Following this, ZD Net reports that the official Google Play Store has since removed these compromised programs by the end of October 2020.
The two apps in question are Baidu Maps and Baidu Search Box. Both apps have had approximately six million users in the United States alone and have more users around the globe, reveals Forbes.
Researchers from Unit 42, a global threat intelligence team from Palo Alto Networks, first discovered the breach in the system. According to the researchers, the Baidu data mined from users make them vulnerable to being tracked 24/7 and this stemmed from a software development kit (SDK) called Push.
This SDK was supposedly sending the sensitive user details to a Chinese server. Some of the user information made vulnerable by the breach include the phone or the device’s MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
In a blog post, the researchers from Unit 42 said that “The leaked data made users trackable, potentially over their lifetime.” While the researchers only checked the app available on the Google Play Store, Forbes said the researchers believe that this can be possible through all types of versions available.
Both the IMSI and IMEI numbers can reportedly be used to track users even when they have changed devices, said the researchers.
ZD Net states that the same SDK is also used by over 37,500 programs. While the data collection practices of the two Baidu programs became the center of attention, the main issue lies with the use of SDKs.
The researchers from Palo Alto said that the Push SDK, as well as the Share SDK, “are frequently used by malicious applications to extract and transmit device data.” These are also often leveraged by developers who take part in creating malicious apps, states ZD Net.
After Palo Alto researchers notified Google about the incident, the tech giant also confirmed the violations, adding that the apps in question had also incurred more violations. Following this, Forbes states that Google had the two apps removed from the Play Store on October 28, 2020.
Despite saying that the apps had incurred “additional violations,” the tech giant failed to disclose what these were. On November 19, 2020, one of the Baidu programs, namely the Baidu App, was seen back on the Google Play Store with new updates. Baidu Maps is still not available.
