Baidu apps with 6 million US downloads found to be leaking sensitive user data
Security researchers from Palo Alto Networks have discovered that apps produced by Chinese firm Baidu have been leaking sensitive data about users.
Baidu Search Box and Baidu Maps -- which have been downloaded more than six millions times in the US alone -- were found to be sending details such as MAC addresses, phone models, IMSI and IMEI to a server in China. The researchers warned Google about the activity of the Android apps which were then removed from the Play Store.
The Baidu apps were gathering data from phones without user consent, and the nature of the data that was collected opened up people to being tracked online and targeted by cybercriminals. Palo Alto Networks' security researcher told Google about its findings, as well as notifying Baidu itself. Google responded by pulling the apps from its store on October 28 for "unspecified violations".
Explaining its findings, Palo Alto Networks says that among the data being collected was:
- Phone model.
- Screen resolution.
- Phone MAC address.
- Carrier (Telecom Provider).
- Network (Wi-Fi, 2G, 3G, 4G, 5G).
- Android ID.
- IMSI (International Mobile Subscriber Identity).
- IMEI (International Mobile Equipment Identity).
The security firm goes on to say:
While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone and takes the number. The IMEI is a unique identifier of the physical device and denotes information such as the manufacturing date and hardware specifications.
The IMSI uniquely identifies a subscriber to a cellular network and is typically associated with a phone’s SIM card, which can be transferred between devices. Both identifiers can be used to track and locate users within a cellular network.
Baidu Search Box has since been cleaned up, and has reappeared in the Play Store. Baidu Maps is due to get the same treatment and will be available to Android users once again soon.
Image credit: roncivil / depositphotos