UPDATED Infosec researchers at Palo Alto Networks’ Unit 42 threat intelligence unit spotted a pair of prominent Chinese apps leaking personal data, and after it informed Google the ad giant dumped the apps from its Play store.
The researchers named Chinese web giant Baidu’s Search Box and Maps as the offending apps, saying collected devices’ MAC addresses and the unique International Mobile Subscriber Identity (IMSI) that identifies mobile network subscribers.
As the IMSI moves when a user adopts a new phone, the apps therefore “made users trackable, potentially over their lifetime.”
Baidu says the personal information was only used to enable push functionality and that the privacy agreement in its apps disclosed that use.
Palo Alto noted that collecting MACs and IMSIs is “not a definitive violation of Google’s policy for Android apps”. But the practice is discouraged.
The Unit 42 team therefore shared its findings with Google and says the ad giant “confirmed the findings, identified unspecified violations and removed the applications from Google Play globally on Oct. 28, 2020.”
Baidu disputes that the the data leakage Palo Alto described is the reason for the apps departing the Play store.
Baidu also got an email from Palo Alto and appears to have acted because a new and sniffer-free version of Search Box debuted on Google Play on November 19th. Baidu Maps is yet to return.
Palo Alto detected Baidu’s misbehaving apps with a malware scanner, which speaks volumes about the Baidu apps’ behaviour. ®
UPDATED: 04:00 GMT November 25th. Baidu has contacted The Register and said the reason the apps were removed from the Play Store was "One of our APKs has prominent disclosure but the disclosure is not adequate."