Google removed — and then reinstated — one of the most popular mobile antivirus apps on the Play Store after security firm Check Point discovered that the app was secretly collecting device data from users’ smartphones.
The app in question is named DU Antivirus Security and was created by the DU Group, a company part of the Baidu conglomerate.
According to the app’s Play Store page, between 10 and 50 million users downloaded and installed the app.
App collecting user data and passing it to another app
In a report published yesterday, Check Point researchers claim they identified suspicious activity in the app’s normal mode of operation. Researchers say that when users run the DU Antivirus Security app for the first time, the app collected information such as:
Location information, if available
DU Antivirus then encrypted this data and sent it to a remote server located at 126.96.36.199. Initially, researchers thought this was a server under the control of a malware author, but some clever sleuthing through DNS records and adjacent subdomains revealed that domains hosted on the server were registered to a Baidu employee named Zhan Liang Liu.
The collected information was later used by another app belonging to the DU Group called “Caller ID & Call Block – DU Caller,” which provides users with information about incoming phone calls.
Google removes, then reinstates a clean version of the app
Check Point alerted Google of this secret data harvesting behavior on August 21, and Google removed the app from the Play Store on August 24. The app was later reinstated on August 28 after DU Group removed the code responsible for the data collection mechanism.
Check Point says that DU Antivirus Security v3.1.5 included the data collection code, and possibly earlier versions, albeit the company has not tested previous releases to confirm. It is recommended that users update to the latest version of this app.
Daca collection mechanism found in 30 other apps
Following this initial discovery, Check Point searched other apps for the presence of this malicious code. They said they found it embedded in 30 other apps, 12 of which were also distributed through the official Google Play Store. Based on Google statistics, between 24 and 89 million users might have installed malicious apps that collected data without their knowledge.
“These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller,” researchers said.
This is not the first time the DU Caller app comes under scrutiny for abusive behavior. Earlier in the year, Chinese media discovered that the DU Caller app used multiple versions of privacy policies in order to trick users and collected data from devices even if the user had given consent or not.
Below is a table with the names of all apps featuring the data collection code that Check Point identified hosted on the Play Store.
Below is a list of apps featuring the same code, but which were distributed from locations outside the official Play Store.
com.power.core.setting com.friendivity.biohazard.mobo com.energyprotector.tool com.power.core.message batterysaver.cleaner.speedbooster.taskkiller.phonecooler com.rammanager.pro com.memoryanalysis.speedbooster com.whosthat.callerid speedbooster.memorycleaner.phonecleaner.phonecooler com.example.demos com.android.fb antivirus.mobilesecurity.antivirusfree.antivirusandroid speedtest.networksecurity.internetbooster com.ramreleaser.speedbooster com.dianxinos.optimizer.duplay com.coolkeeper.instacooler com.memoryreleaser.booster com.freepopularhotvideo.hotube