Chinese Mobile Antivirus App Caught Siphoning User Data

DU Antivirus Security app

Google removed — and then reinstated — one of the most popular mobile antivirus apps on the Play Store after security firm Check Point discovered that the app was secretly collecting device data from users’ smartphones.

The app in question is named DU Antivirus Security and was created by the DU Group, a company part of the Baidu conglomerate.

According to the app’s Play Store page, between 10 and 50 million users downloaded and installed the app.

App collecting user data and passing it to another app

In a report published yesterday, Check Point researchers claim they identified suspicious activity in the app’s normal mode of operation. Researchers say that when users run the DU Antivirus Security app for the first time, the app collected information such as:

Unique identifiers
Contact list
Call logs
Location information, if available

DU Antivirus then encrypted this data and sent it to a remote server located at 47.88.174.218. Initially, researchers thought this was a server under the control of a malware author, but some clever sleuthing through DNS records and adjacent subdomains revealed that domains hosted on the server were registered to a Baidu employee named Zhan Liang Liu.

The collected information was later used by another app belonging to the DU Group called “Caller ID & Call Block – DU Caller,” which provides users with information about incoming phone calls.

Google removes, then reinstates a clean version of the app

Check Point alerted Google of this secret data harvesting behavior on August 21, and Google removed the app from the Play Store on August 24. The app was later reinstated on August 28 after DU Group removed the code responsible for the data collection mechanism.

Google removed the app on the grounds that it did not specify the data collection mechanism in its privacy policy, nor had the app obtained permission from users.

Check Point says that DU Antivirus Security v3.1.5 included the data collection code, and possibly earlier versions, albeit the company has not tested previous releases to confirm. It is recommended that users update to the latest version of this app.

Daca collection mechanism found in 30 other apps

Following this initial discovery, Check Point searched other apps for the presence of this malicious code. They said they found it embedded in 30 other apps, 12 of which were also distributed through the official Google Play Store. Based on Google statistics, between 24 and 89 million users might have installed malicious apps that collected data without their knowledge.

“These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller,” researchers said.

This is not the first time the DU Caller app comes under scrutiny for abusive behavior. Earlier in the year, Chinese media discovered that the DU Caller app used multiple versions of privacy policies in order to trick users and collected data from devices even if the user had given consent or not.

Below is a table with the names of all apps featuring the data collection code that Check Point identified hosted on the Play Store.

Apps with data collection mechanism

Below is a list of apps featuring the same code, but which were distributed from locations outside the official Play Store.

com.power.core.setting
com.friendivity.biohazard.mobo
com.energyprotector.tool
com.power.core.message
batterysaver.cleaner.speedbooster.taskkiller.phonecooler
com.rammanager.pro
com.memoryanalysis.speedbooster
com.whosthat.callerid
speedbooster.memorycleaner.phonecleaner.phonecooler
com.example.demos
com.android.fb
antivirus.mobilesecurity.antivirusfree.antivirusandroid
speedtest.networksecurity.internetbooster
com.ramreleaser.speedbooster
com.dianxinos.optimizer.duplay
com.coolkeeper.instacooler
com.memoryreleaser.booster
com.freepopularhotvideo.hotube