Photo: MIT Technology Review
While for many, the world of navigation software comes down to just three big names, namely Google Maps, Apple Maps, and Waze, there are plenty of other popular solutions out there, such as Here WeGo, TomTom GO Navigation, and Sygic GPS Navigation.
In the United States, however, around 6 million people actually installed software from Chinese company Baidu, including the Baidu Search Box and Baidu Maps, the latter seen as quite a worthy alternative to Google Maps.
However, researchers from security company Palo Alto's Unit 42 discovered both apps have been leaking data, which could be used by a malicious actor to track users. Both Baidu Search Box and Baidu Maps were published in the Google Play Store and available for download in the United States and international markets.
Baidu’s Android push SDK powering the two apps allowed the collection of identifiers and leaked some details that “made users trackable, potentially over their lifetime,” Unit 42 researchers explain.
The software collected MAC addresses, carrier information, and international mobile subscriber identity (IMSU) numbers. IMSI data is the one making users trackable, as it’s tied to the SIM used to connect to the carrier and thus is transferred from one phone to another.
“Data such as the IMSI or the IMEI are desirable for cybercriminals, who can use methods such as active and passive IMSI catchers to overhear this information from cell phone users. Once this data is acquired, cybercriminals can profile users and further extract sensitive information about them. For example, if a cybercriminal gets hold of a phone’s IMEI number, they could use it to report the phone as stolen and trigger the provider to disable the device and block its access to the network,” the security company notes.
Unit 42 alerted both Baidu and Google about these findings, and the search giant’s Android team decided to remove them from the Google Play Store on October 28 this year. A modified version of Baidu Search Box that no longer collects data was re-published on November 18, but Baidu Maps is still nowhere to be seen at the time of writing.
However, researchers from security company Palo Alto's Unit 42 discovered both apps have been leaking data, which could be used by a malicious actor to track users. Both Baidu Search Box and Baidu Maps were published in the Google Play Store and available for download in the United States and international markets.
Baidu’s Android push SDK powering the two apps allowed the collection of identifiers and leaked some details that “made users trackable, potentially over their lifetime,” Unit 42 researchers explain.
The software collected MAC addresses, carrier information, and international mobile subscriber identity (IMSU) numbers. IMSI data is the one making users trackable, as it’s tied to the SIM used to connect to the carrier and thus is transferred from one phone to another.
“Data such as the IMSI or the IMEI are desirable for cybercriminals, who can use methods such as active and passive IMSI catchers to overhear this information from cell phone users. Once this data is acquired, cybercriminals can profile users and further extract sensitive information about them. For example, if a cybercriminal gets hold of a phone’s IMEI number, they could use it to report the phone as stolen and trigger the provider to disable the device and block its access to the network,” the security company notes.
Unit 42 alerted both Baidu and Google about these findings, and the search giant’s Android team decided to remove them from the Google Play Store on October 28 this year. A modified version of Baidu Search Box that no longer collects data was re-published on November 18, but Baidu Maps is still nowhere to be seen at the time of writing.
Google News