Android antivirus app with up to 50 million downloads covertly hijacked users' data

A free-to-use antivirus app for Android smartphones with between 10 and 50 million downloads was recently found to be stealing users' data from devices without consent.

The app, called "DU Antivirus Security", was discovered on Google Play, the official Android marketplace, by experts from security firm Check Point. The team said this week (18 September) that anyone using the software should update immediately to ensure their data remains safe.

"While users trusted DU Antivirus Security to protect private information, it did the exact opposite," the cybersecurity firm asserted in its analysis.

"It collected the personal information of its users without permission and used that private information for commercial purposes," it added.

The experts found the DU group sought "information about your personal calls, who you're speaking with and for how long, [which] was logged and later used".

The full DU range of Android applications are linked to Chinese technology giant Baidu.

Check Point said that when the app was launched for the first time it scooped up information from the device – including contact lists, call logs and even its location via GPS.

That data, researchers found, was then encrypted and transmitted to a remote server to later be used by another application offered by its developers, called "DU Caller".

The security firm reported what it called the "illegal use of users' private information" to Google on 21 August 2017 and it was subsequently removed three days later.

An updated version surfaced on 28 August 2017, however users with older versions will still be at risk. Version 3.1.5 is the latest to include the privacy-leaking code, Check Point said, adding that the same dodgy code was found in 30 other apps, 12 of which were on Google Play.

The 12 apps offered through official channels with suspicious code have been removed. In total, the full scope of the illicit code may have hit between "24 and 89 million" users.

One domain used in the scheme was linked to zhanliangliu@gmail[dot]com, who is an employee of China's Baidu. "Since the DU apps are part of the Baidu group [...] this indicates a connection between the stolen information and the caller app," researchers said.

Others DU apps in the Baidu range include DU Speed Booster, DU Battery Saver and FaceMoji.

Check Point said: "Users who installed the DU Antivirus Security or any of the other apps should verify they are upgrading to the latest version that does not include this code.

"Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions," it warned.

"In some cases, mobile anti-virus apps are even used as a decoy for delivering malware."