HackDig : Dig high-quality web security articles for hacker

Baidu Browser Acts like a Mildly Tempered Infostealer Virus

2016-02-24 16:35

The Baidu Web browser for Windows and Android exhibits behavior that could easily allow a security researcher to categorize it as an infostealer virus because it collects information on its users and then sends it to Baidu's home servers.

Baidu Browser is the Chinese clone of Google Chrome, with  Baidu being a Web search company in China, just like Google, and the browser a spin-off from the Chromium project, just like Google Chrome.

An intrusion of user privacy

According to Citizen Lab researchers, the browser engages in the now-obligatory habit of collecting user details, which many software and Web-based services also do, "for analytics purposes."

The problem is that the Baidu Browser collects and then sends this information via unencrypted or easily decryptable connections.

During tests, researchers say that the Android version collects data about the user's operating system, the phone's IMEI, browsing history, search terms history, the phone's last GPS coordinates, and nearby wireless networks and local MACs.

On the other hand, the Windows version also collects data like the user's search history, browsing history, MAC address, CPU model, hard disk drive model and serial number, and file system volume number.

The browser collects and sends this information on startup, when the user starts typing content in their address bar, and on any page view.

Information collection behavior narrowed down to an SDK

Obviously, this is an intrusion of the user's privacy and something you wouldn't expect your browser to be collecting. This very same behavior is often found in infostealer (information stealer) malware that's usually deployed to collect information on targets before deploying more complex threats like ransomware, Bitcoin miners, spyware, or banking trojans.

Citizen Lab researchers narrowed down the information leakage issues to a common SDK, Baidu Mobile Tongji (Analytics) SDK, used for both the Android and Windows versions.

Together with mobile security firm Lookout, the researchers identified this SDK inside 22,548 app packages. Back in November 2015, researchers from Trend Micro identified a similar Baidu SDK, which could be found in 14,112 Android apps and included features that could be abused to install backdoors on all infected devices.

Insecure updates allow MitM attacks

But Baidu Browser's issues didn't stop here. Researchers also discovered that the browser checks and downloads updates but does not use code signatures. This practice exposes users to MitM (Man-in-the-Middle) attacks that allow an attacker to send malicious files to users disguised as a Baidu update.

Researchers say that they informed Baidu of all their issues, which the company started to address through updates to both the Android and Windows version on February 14, 2016. Some information leaks are still active.

Baidu also agreed to answer a list of questions regarding the browser's behavior. The answers can be viewed here.

In May 2015, the same Citizen Lab researchers analyzed another Chinese Web browser (UC Browser) and found a slew of issues in that product as well.

Baidu Browser exposed to MitM attacks
Baidu Browser exposed to MitM attacks


Source: GZslWbtEWLltWas1yc0NWYtIXZzd3byJWL1RWahJ2LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:3880 | Comments:0 | Tags:Security Virus

“Baidu Browser Acts like a Mildly Tempered Infostealer Virus”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud