Check Point mobile threat researchers have identified a version of DU Antivirus Security that harvested user data without consent. They believe that the app, which was free, has been downloaded between 10-50 million times. On first install onto a device the app proceeded to harvest data from the device. Among the data it collected were unique identifiers, contact list, call logs and, it is believed, location data.
According to the Check Point researchers: “While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes. Information about your personal calls, who you’re speaking with and for how long, was logged and later used.”
What happened to the data?
The harvested data was encrypted by the app. It was then sent to the server caller.work. Check Point says that this server is not registered to DU apps. Once the data arrives at the server it is then sent to two subdomains. One of the subdomains uses the name of a separate DU app – DU caller. The other subdomain is a private server registered to a Baidu employee.
The data is reused by an app called “Caller ID & Call Block – DU Caller”. This app uses the data to provide users with data on incoming phone numbers. What is not clear is whether this app is aggregating the data from multiple callers. It so, it suggests that a very large database has been created to store and manage all the stolen data.
The tip of the iceberg
Check Point also discovered that the code used to steal the data was present in a number of other apps. 12 of these were present on the Google Play store. They have since been removed by Google. Between 24 and 89 million users installed these apps.
The researchers also discovered the code in 18 apps outside of Google Play. These other apps can be installed on jailbroken devices. Everyone one of these apps transmitted code to the same server used by DU Caller.
It is important to note that the researchers do not believe that all the app developers set out to steal code. Instead, they think that the code was implemented through an external code library. What they haven’t been able to do so far is give the details on that library.
What does this mean
End users need to check their devices to find any of the apps mentioned in the blog post. If they find them they have to be uninstalled from their devices. While this is a little late, it will prevent more data being stolen. For those users who are still using DU Antivirus Security, the researchers say that they should check the version of the app. It apparently no longer contains the code that was stealing the data.
This is not the first case of a security product being used as a trojan horse to steal data. Some of the most pirated software programmes are antivirus and security software. Many of these have been hacked to allow free install but come with a range of exploits and other malware. DU Antivirus Security is, therefore, just following in a long line of bad versions of products.
There is no mention that Check Point has spoken to Baidu about this situation. We have sent an email asking how this happened and if we get a reply will publish the details here.