Google Finally Pulls Chinese Apps Stealing Personal Data

After 6 million downloads, two spyware apps have been removed from the Play Store. What took Google so long?

But they weren’t removed because they were spyware. The real problem was they didn’t tell their users they were spyware—this is the brazen excuse from their developer, Baidu.

Wait, what? As the researchers who discovered the problem point out, Baidu has no business sniffing your phone’s IMSI or IMEI. In today’s SB Blogwatch, we give thanks.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: deconstructing Bieber.


Bogus Baidu Boo-Boo

What’s the craic? Catalin Cimpanu reports—“Baidu’s Android apps caught collecting sensitive user details”:

 Two Android applications belonging to Chinese tech giant Baidu have been removed from the … Play Store. … Baidu Maps and Baidu Search Box were removed after Google received a report … that the two apps contained code that collected information about users.

The code collected details such as phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number. … While the collection of personal user details was not specifically forbidden by Google’s policy … the Play Store security team confirmed their findings and “identified [additional] unspecified violations” in the two Baidu apps, which eventually led to the two apps being removed. … Both apps had more than 6 million downloads combined before being removed.

A Baidu spokesperson said that … the data collection behavior was not the reason the two apps were taken off the Play Store … as the Chinese company had obtained permission from users to collect this info from users. … The Baidu team said it’s working to resolve [the] other issues.

Stefan Achleitner and Chengcheng Xu … also identified similar data collection code in the ShareSDK developed by Chinese ad tech giant MobTech … used by more than 37,500 apps. [They] say this SDK also allows app developers to collect [similar] data.

So? Simon Sharwood says—“Google binned two apps by China’s Baidu, which says researchers got it wrong by linking it to personal info leaks”:

 Baidu disputes that the the data leakage Palo Alto described is the reason for the apps departing the Play store, [saying] the reason the apps were removed from the Play Store was “One of our APKs has prominent disclosure but the disclosure is not adequate.” … Baidu says the personal information was only used to enable push functionality and that the privacy agreement in its apps disclosed that use.

Collecting MACs and IMSIs … is discouraged [by Google].

Who discovered the naughtiness? Stefan Achleitner and Chengcheng Xu—“Android Apps Leaking Sensitive Data”:

 Leaked data violates users’ privacy and can be used for further attacks by cybercriminals. … With the help of a machine learning (ML)-based spyware detection system, Unit 42 researchers identified multiple Android applications on Google Play that were leaking data. … A compliant version of Baidu Search Box became available on Google Play globally on Nov. 19, 2020, while Baidu Maps remains unavailable.

While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone, [because it] is typically associated with a phone’s SIM card, which can be transferred between devices. … Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices.

Data such as the IMSI or the IMEI are desirable for cybercriminals. … Once this data is acquired, cybercriminals can profile users and further extract sensitive information about them. For example … they could use it to report the phone as stolen and trigger the provider to disable the device and block its access to the network [or] intercept phone calls or text messages.

Another example for Android SDK that collects sensitive information from a user’s phone is ShareSDK from the Chinese vendor MobTech. … Other applications available in Google Play in the U.S. that we analyzed include the Homestyler – Interior Design & Decorating Ideas app, which uses the framework GrowingIO. … The app collects private information from a user’s device. This app has not been taken down by Google.

But what can we do? Heed the wisdom of u/DarkwraithKnight:

 At this point, I simply ignore the existence of Baidu. For me, this … company is nothing but a virus.

But what can Google do? See drinkypoo’s déjà vu: [You’re fired—Ed.]

 Baidu is well-known for Spyware. … If Google really wants to pretend to care about malware, they will ban Baidu from the Google Store completely, as well as anyone who includes their libraries.

Doing anything else sends the message that you can get caught spying on users over and over again without any real penalty. After all, it takes no time to whip up a new version of an app with a different name, that you can sneak the spyware into later.

And this Anonymous Coward agrees:

 Baidu at it again. Baidu has a history of tracking users using shady techniques.

I found a hidden Base64 encoded configuarition file on the SD card of a friend’s Android device that looked to be a unique identifier used for tracking and sharing with other apps that also had access to the SD card. A quick … search determined my suspicions were accurate.

Is it really a Store problem? Maybe it’s an Android problem? That’s the crux of green1’s complaint:

 My biggest complaint is that Android has various permissions that it lists for apps in the play store, and that are often abused, but that the user has no control over at all. It’s nice that we get to day no to some of them, but the rest of the ones they list in the play store should be controllable too.

Wait. Pause. u/SexualDeth5quad asks the key question:

 Is this any worse than Google’s apps?

Meanwhile, the globally-unique 759b954e-617b-408b-a2b1-f5a42c3688d4 guesses what Google’s real problem was:

 ”The only one around here allowed to abuse personal data is us.”

And Finally:

Kids today with their soulless computer music

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: @jorick1117 (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi