Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android AV App Collected Data on Tens of Millions Users

Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.

Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.

Called DU Antivirus Security, the software had between 10 and 50 million downloads when the security researchers alerted Google on its data collection practices on August 21. The application was removed from the store on August 24, but was reinstated on August 28, after its developers removed the information-collecting code.

Offered for free, the security software is developed by the DU group, and was discovered to collect a variety of user data without requesting consent from the device owner. The data collection activities, the security researchers discovered, were performed only at the application’s first run.

According to Check Point, the information collected by the application from Android devices included unique identifiers, contact list, call logs, and potentially the location of the device. After gathering the information, the app was encrypting it and sending it to a remote server.

The security researchers also discovered that the collected information was then used by another app offered by the DU group, namely Caller ID & Call Block – DU Caller. The software is designed to provide users with information about incoming phone calls.

“While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes,” Check Point notes.

The software would log information on personal calls, as well as details on who and for how long the user talked to. DU Antivirus Security 3.1.5 includes the malicious code, and potentially so do previous application releases.

Advertisement. Scroll to continue reading.

The same data-collecting code was found in 30 other applications, including 12 programs distributed through Google Play, Check Point reveals in a report. The apps, which have been removed, had between 24 and 89 million downloads in total. Affected users are advised to upgrade to newer versions of DU Antivirus Security and any other impacted app.

The malicious code was supposedly implemented in these applications through an external library, but they transmitted the collected data to the same server used by DU Caller, the security researchers say.

“Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them,” Check Point notes.

The security researchers discovered that the malicious code would send the gathered data to the server While the domain isn’t registered to DU apps, it has two subdomains that reveal a connection to the developer.

One is, a PHP webpage that specifies hostname us02-Du_caller02.usaws02 (which contains the name of the DU Caller app). The other is, hosted on a private server that also hosts the domain, which is registered to a Baidu employee. DU apps are part of the Baidu group and the employee posted about functionality related to the caller app, which indicates a connection with the data collected by the malicious code.

The DU Caller app has been already criticized for its ambiguous privacy policy, which displays different terms on separate pages, as well as for executing activity regardless of whether it has the user consent or not. DU Caller was also affected by one of the largest data breaches, exposing over 2 billion user phone numbers earlier this year, a Risk Based Security report revealed in July.

Related: Amazon Suspends Sales of BLU Smartphones Over Security, Privacy Concerns

Related: Backdoor in Some Android Phones Sends Data to Server in China

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.