DU Apps Studio, global product team of Baidu does not announce the security vulnerability in Android Apps
About "Simeji Privacy Lock" Baidu Corp.
13th Nov 20:00 We were sure that This Application is not used Moplus SDK. However, we have confirmed the use of shared code that may contain another risk. Local communication service is activated by the code, making it possible to obtain information leading to the identification of the terminal malicious third party to access the API in a specific condition. It should be noted, never application and data terminal is tampered with by this problem. This order to respond to vulnerability, but has released updates (ver. 2.0.1.71) in Google Play today 14:44, making it a situation where you can not browse from Google Play at the moment (19:30) . We are taking a contact with GooglePlay side for this event. Until a new version (ver. 2.0.1.71) is published , you will uninstall 'Simeji privacy lock ". 14th Nov 4:00 |
Baidu Japan announced the security vulnerability in Simeji Privacy Lock.
I found same vulnerability in DU Apps Studio's following Applciations.
DU Privacy Vault - App Lock 2.0.1.67 (Sep 2015)
DU App Locker 1.2.2.38 (Aug 2015 which old version DU Privacy Vault)
But DU Apps Studio does not announce the security vulnerability in them now (on 16, Nov 0:00 GMT)
LocalServerSocket localserversocket1 = new LocalServerSocket(b()); localserversocket = localserversocket1; _L2: Intent intent1; Intent intent2; if(localserversocket != null) break MISSING_BLOCK_LABEL_733; intent1 = com.baidu.android.pushservice.i.s.b(a, "com.baidu.pushservice.action.start.SERVICEINFO"); intent2 = com.baidu.android.pushservice.i.s.b(a, "com.baidu.moplus.action.start.SERVICEINFO"); if(intent1 == null && intent2 == null) return false; |
public static ArrayList u(Context context) { ArrayList arraylist = D(context); List list = ((ActivityManager)context.getSystemService("activity")).getRunningServices(1000); ArrayList arraylist1 = new ArrayList(); Iterator iterator = list.iterator(); do { if(!iterator.hasNext()) break; android.app.ActivityManager.RunningServiceInfo runningserviceinfo = (android.app.ActivityManager.RunningServiceInfo)iterator.next(); String s1 = runningserviceinfo.service.getPackageName(); if(!arraylist1.contains(s1) && arraylist.contains(s1) && (runningserviceinfo.service.getClassName().contains("PushService") || runningserviceinfo.service.getClassName().contains("MoPlusService")) && v(context, s1)) arraylist1.add(runningserviceinfo.service.getPackageName()); } while(true); return arraylist1; } |
In DU Privacy Locker code, It seems MoPlusService was replaced to PushService and it provides same functions.
It seems the meaning DU Apps Studio forgets deleting old code for "MoPlusService".
It uses LocalServerSocket, and looks like backdoor to connect from outbound.( Baidu said it is vulnerability)
DU Privacy Vault - App Lockwas also updated to 2.0.1.71. But DU ( Baidu global delevopment Team ) did not announce.
Simeji Privacy Lock - Android Apps on Google Play
Japanese Localized version also did not be descripted about the vulnerability, but only included not related string "moplus ".
The hundreds million users are affected by the vulnerability, I think Baidu should announce this.
Comments