Cyber Security

DU Antivirus Security App Grabs User Data

DU Antivirus Security is back on Play Store! It was removed from the Google Play Store, then what made it get reinstated?

Before you start wondering let us describe the complete thing to you. DU Antivirus Security app, is one of the most popular mobile antivirus apps. It was deleted from the app store after security firm Check Point revealed that the app was secretly accumulating device data from handlers’ smartphones.

Must Read: 14 Best Android Security Apps

DU Antivirus Security app was created by the DU Group. As per the data collected from Play Store page the app was downloaded on 10 to 50 million users devices.

App Collects User Data Secretly And Passes It To Another App

Check Point researchers in a report published purport that they have detected wary activities in the app’s operation. When using the app for the first time, DU Antivirus Security app collects the following data.

Unique identifiers
Contact list
Call logs
Location information, if available

The collected data is then encrypted and sent to a remote server located at 47.88.174.218. Initially, researchers assumed that the server is controlled by a malware author. But after some ingenious investigation done via DNS records and in line subdomains they discovered that the domains hosted on the server were registered to a person name Zhan Liang Liu who is an employee at Baidu.

This collected information was then utilized by another app, “Caller ID & Call Block – DU Caller which belongs to the DU Group itself. The app is used to deliver users with details about incoming calls.

Google Seized the App

After all the information was gathered to prove the suspicious behavior of the app. Checkpoint warned Google about the app and it’s working on August 21. After knowing the secret behavior of the app Google deleted the app on August 24th, from the Play Store.

Google removed the app as in the privacy policy there was no mention about data collection neither the app takes any permission from the user.

To get the app reinstated on the Play Store DU group had to remove the data collection code responsible for prying onto user’s data.  After it was removed the app was restored on August 28th

As per, Check Point DU Antivirus Security v3.1.5 and earlier had the data collection code, however they have not tested the previous versions, to confirm their claim. Therefore, to stay protected all users should update to the latest version of app which is without the data collection code.

Must Read: 5 Best Privacy Apps for Android to Improve Privacy and Security

30 other apps to have the same mechanism

After detecting the suspicious behavior of DU Antivirus Security app, Check Point examined other apps too to see if they too have the malicious code. They claimed that they could find the code rooted in 30 other apps, 12 of which were available on the Google’s Play Store. Based on the data found on Play Store, approximately 24 to 89 million users might have installed the nasty apps that collects data without taking any permission from the user.

“These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller,” researchers said.

Prior to this DU Caller app has been under for its offensive behavior. Earlier this year, Chinese media too revealed that the DU Caller app uses several versions of privacy policies to fool users and collect data from their devices even when user has granted permission or not.

Below is a table which shows name of the apps containing the data collection code that Check Point identified hosted on the Play Store.

Here is another list of the apps which feature the same code, but they are distrusted by third party websites.

com.power.core.setting

com.friendivity.biohazard.mobo

com.energyprotector.tool

com.power.core.message

batterysaver.cleaner.speedbooster.taskkiller.phonecooler

com.rammanager.pro

com.memoryanalysis.speedbooster

com.whosthat.callerid

speedbooster.memorycleaner.phonecleaner.phonecooler

com.example.demos

com.android.fb

antivirus.mobilesecurity.antivirusfree.antivirusandroid

speedtest.networksecurity.internetbooster

com.ramreleaser.speedbooster

com.dianxinos.optimizer.duplay

com.coolkeeper.instacooler

com.memoryreleaser.booster

com.freepopularhotvideo.hotube

While speaking with SC Media UK, Tony Anscombe, ESET’s industry ambassador said, “If it’s collecting data and passing to another app, it sounds non-malicious but it is a disclosure issue.  There’s a hundred different antivirus products on the market, 10 companies dominate, and I am sure there are some products in there developed with great intentions but sometimes people don’t understand what disclosures they should make and what disclosures they shouldn’t make.”

“You have to have a trust relationship as an anti-malware provider because the access you have to someone’s device is all seeing, because it needs to be, so the disclosures have to be correct, and your privacy policy has to be written in a way that someone can understand as well.  There needs to be language in there that my mum can understand.

“These stories affect the entire industry because if people lose trust with the security industry it’s bad for all of us. Also – being in the Google Play store, it undermines that.  It also emphasizes the need for diversity of supply. If you are in a monoculture, then if that one provider misses something it can get mass infection. With a diverse security industry with lots of different players looking at lots of different things, then you get lower infection rates, and fewer issues, because people look at things from different places.”

Leave a comment