Multiple Android mobile apps found in Google Play, including Baidu Search Box and Baidu Maps, were found by researchers to be leaking data that could be used to track users – even if they switch devices.
The apps have each been downloaded millions of times, according to Palo Alto Unit 42 researchers. They’ve been removed from Google Play, but anyone with one of the offending apps still installed is at risk.
Researchers found the apps in question to expose a range of information, including: Phone model; screen resolution; phone MAC address; wireless carrier; network (Wi-Fi, 2G, 3G, 4G, 5G); Android ID; International Mobile Subscriber Identity (IMSI); and International Mobile Equipment Identity (IMEI).
Cybercriminals in turn can use a variety of sniffing tools – such as active and passive IMSI catchers — to “overhear” this information from cell phone users.
“While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone and takes the number,” said researchers with Palo Alto Networks Unit 42, in a Tuesday posting.
The IMEI is a unique identifier of the physical device and denotes information such as the manufacturing date and hardware specifications. The IMSI meanwhile uniquely identifies a subscriber to a cellular network and is typically associated with a phone’s SIM card, which can be transferred between devices. Both identifiers can be used to track and locate users within a cellular network.
Because of this, Android applications that collect such data can track users over the lifetime of multiple devices, researchers warned.
“For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user,” according to the posting.
In addition to following users across devices, attackers could wreak further havoc, researchers said; for instance, they could use the phone’s IMEI number to report a phone as stolen, triggering a carrier to block its access to the network. And, attackers could take advantage of the leaked information to intercept phone calls or text messages, according to Unit 42.
Researchers found multiple Android applications that allowed such data leakage. The two largest applications discovered were Baidu Search Box and Baidu Maps (Baidu is a China-based internet company that is not unlike Google in its range of offerings). Google took action, and a benign version of Baidu Search Box became available on Google Play globally on Nov. 19, while Baidu Maps remains unavailable globally.
Another offending application available in Google Play in the U.S. is the Homestyler – an interior-decorating app that researchers said has not been taken down. And, researchers flagged an Android SDK known as ShareSDK, from the Chinese vendor MobTech.
“ShareSDK supports more than 40 social media platforms,” according to Unit 42. “It helps third-party app developers easily access social-media sharing and registration. It also allows them to acquire users’ information, friends lists and other social functions. Currently, ShareSDK is offering service for over 37,500 applications, and it has become China’s largest developer service platform.”
Data leakage from Android applications and SDKs represents a serious violation of users’ privacy, though developers often don’t realize that their apps are at risk, researchers noted.
“While not a definitive violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide,” explained the researchers. “To prevent data leakage, Android app developers should follow Android’s best practices guide and correctly handle users’ data. Android users should stay informed about the required permissions requested by applications on their devices.”
A report in April 2019 found that millions of apps leak personally identifiable information (PII) such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.
“App stores have been found to feature malicious apps, as well as legitimate apps that collect user information without user consent,” Usman Rahim, digital threat analyst with The Media Trust, told Threatpost at the time. “Like IoT devices, apps are too often developed without security and privacy in mind. Free apps that feature ads are particularly vulnerable to attacks.”