Baidu headquarters. Researchers from Palo Alto’s Unit 42 team say they found that Baidu Maps and Baidu Search Box were using a software development kit that was collecting a range of sensitive data on users. (simone.brunozzi, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons)

Two of the most popular Chinese apps on the Google Play Store are leaking sensitive user information that could be used to track users for years, even after they’ve switched phones.

High-profile employees and executives who use these apps should be aware that this leaked data could potentially allow malicious cyber actors to spy on them and target their companies or clients.

Researchers from Palo Alto’s Unit 42 team used a machine learning-based spyware detection tool to monitor network traffic while analyzing Android applications to see what data they were quietly collecting. Among their findings: two widely used Chinese apps – Baidu Maps and Baidu Search Box – were using a software development kit that was collecting a range of sensitive data, such as the user’s MAC address, IMSI number and carrier information.

The problem is that unauthorized third parties could potentially access this same information if they know where to look for it. Then they could leverage this data to surreptitiously track a user’s location and other details through Stingray devices or intercept phone calls and text messages. It can also be used by cybercriminals to “take advantage of the leaked information to intercept phone calls or text messages” or “intercept messages that transfer information in plain text or with weak encryption,” according to a Nov. 24 blog post detailing Unit 42’s research.

The collection of such data is legal, though Google formally discourages Android developers from doing so in their best practices guidelines. In an interview with SC Media, Jen Miller-Osborn, deputy director of threat Intelligence at Unit 42, said her team doesn’t know what happens to that data after Baidu collects it, but many consumers may not know it’s being collected at all.

“There are a lot of apps that could collect this kind of data for any number of reasons, but it is sensitive and it’s something that users should be aware is being collected,” said Miller-Osborn.

Some of this data is housed within a phone’s SIM card, meaning this kind of tracking could potentially endure even after the user replaces their phone. IT security teams and C-Suite executives need to take “a real conscious and hard and thoughtful look at when and where [they’re] incorporating some of these…apps that are being downloaded,” Miller-Osborn said.

“Especially for people who might be potentially bigger targets, they need to…be aware of what is being collected on them and make a conscious decision [around] ‘is this worth the potential security risk?’”

Baidu Maps and Baidu Search Box are essentially the Chinese counterparts to Google Maps and Google’s search bar, both with hundreds of millions of users. The researchers say they reached out to both Baidu and Google with the findings, and that Google found unspecified “additional violations” with the apps and removed them from the Play Store on Oct. 28. A compliant version of the Baidu Search Box app was re-added to the store on Nov. 19, according to Palo Alto.

It’s far from the only example of Android mobile apps getting caught leaking sensitive information or being exploited by malicious actors to spread malware. It highlights the security risks that can be introduced by third-party providers selling their wares through Google’s Play Store and has led to calls in some quarters for Google to provide better oversight into how they regulate app developers.

Whatever changes do happen, Miller-Osborn said users should be given a real choice, not a few sentences tucked away in a terms of service agreement that nobody reads.

“It needs to be something where people can make an informed decision that this data is being collected – and if they agree with it that’s fine – but they need to be able to give informed consent,” she said.