A data collection issue has been identified in the Baidu Maps and Baidu Search Box apps, both of which were retired from the Play Store in October 2020.
Two Android apps owned by Chinese tech giant Baidu were pulled from Google's Play Store in late October after they were caught collecting sensitive information from their users.
The two apps, Baidu Maps and Baidu Search Box were removed after Google received a report from US cybersecurity firm Palo Alto Networks. The two apps had over 6 million combined downloads before they were deleted.
According to the US security company, both apps contain a code that collects information about each user's phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number.
Some information seems sensitive
The data collection code was found in the Baidu Push SDK, which is used to display real-time notifications in both apps.
Stefan Achleitner and ChengchengXu, security researchers at Palo Alto Networks, who identified the data collection code, claim that while some of the information collected is "fairly harmless", some data like the IMSI code "can be used to identify and track a user in a unique way, even if that user changes phones”.
The research team clarifies that while the collection of personal user data is not specifically prohibited by Google's policy on Android apps, after reporting the issue to Google, the Play Store security team has confirmed its findings and "identified unspecified violations" in the two Baidu apps, ultimately leading to their removal from the official store on October 28.
As of this writing, the Baidu Search Box app has been restored to the Play Store, but Palo Alto Networks assures that Baidu developers have removed the data collection code.
Checking errors in the Android ecosystem
But in addition to the Baidu Push SDK, the Palo Alto Networks team also identified a similar data collection code in the ShareSDK developed by Chinese advertising giant MobTech. Used by more than 37,500 apps, the two researchers claim that this SDK also allows app developers to collect data like phone model, screen resolution, MAC address, Android ID, Advertising ID, operator, and IMSI and IMEI (International Mobile Equipment Identity) codes.
"Analysis of Android malware shows that SDKs like the Baidu Push SDK or the ShareSDK are frequently used by malicious applications to extract and transmit data from devices," they warn, suggesting that while the SDKs may have been developed for legitimate purposes, such as pushing notifications and sharing content on social media, they are often abused by these developers.
Generally speaking, this is a recurring problem, not only for the Android ecosystem but also for the entire online application world, with many applications collecting sensitive data about users without restriction in the absence of legislation specifically prohibiting such practices.