Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.
Called DU Antivirus Security, the software had between 10 and 50 million downloads when the security researchers alerted Google on its data collection practices on August 21. The application was removed from the store on August 24, but was reinstated on August 28, after its developers removed the information-collecting code.
Offered for free, the security software is developed by the DU group, and was discovered to collect a variety of user data without requesting consent from the device owner. The data collection activities, the security researchers discovered, were performed only at the application’s first run.
According to Check Point, the information collected by the application from Android devices included unique identifiers, contact list, call logs, and potentially the location of the device. After gathering the information, the app was encrypting it and sending it to a remote server.
The security researchers also discovered that the collected information was then used by another app offered by the DU group, namely Caller ID & Call Block – DU Caller. The software is designed to provide users with information about incoming phone calls.
“While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes,” Check Point notes.
The software would log information on personal calls, as well as details on who and for how long the user talked to. DU Antivirus Security 3.1.5 includes the malicious code, and potentially so do previous application releases.
The same data-collecting code was found in 30 other applications, including 12 programs distributed through Google Play, Check Point reveals in a report. The apps, which have been removed, had between 24 and 89 million downloads in total. Affected users are advised to upgrade to newer versions of DU Antivirus Security and any other impacted app.
The malicious code was supposedly implemented in these applications through an external library, but they transmitted the collected data to the same server used by DU Caller, the security researchers say.
“Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them,” Check Point notes.
The security researchers discovered that the malicious code would send the gathered data to the server caller.work. While the domain isn’t registered to DU apps, it has two subdomains that reveal a connection to the developer.
One is reg.caller.work, a PHP webpage that specifies hostname us02-Du_caller02.usaws02 (which contains the name of the DU Caller app). The other is vfun.caller.work, hosted on a private server that also hosts the domain dailypush.news, which is registered to a Baidu employee. DU apps are part of the Baidu group and the employee posted about functionality related to the caller app, which indicates a connection with the data collected by the malicious code.