In February, Google threw 600 apps out of its Play store. Amongst those was an app called Clean Master, a security tool promising antivirus protection and private browsing. It had more than 1 billion installs before it was evicted and, despite Google’s ban, is one of Android’s most downloaded apps ever and is likely still running on millions of phones.
Whilst Google hasn’t commented on what it knew about the app, created by China’s Cheetah Mobile, Forbes has learned a security company provided the tech giant with evidence the tool was collecting all manner of private Web use data.
That includes which websites users visited from the in-app “private” browser, their search engine queries and their Wi-Fi access point names, right down to more detailed information like how they scrolled on visited Web pages, according to the security company’s researcher, who also provided the information to Forbes.
But the research, carried out by Gabi Cirlig, a researcher at cybersecurity company White Ops, comes after previous allegations of potential privacy issues with Cheetah’s apps. In 2018, Google kicked its CM File Manager app out of its app store over breaches of its policies on ad fraud. (At the time, in response to a report from Buzzfeed News, Cheetah denied it had the ability to falsely claim ad clicks for profit, as was alleged). Last year, VPNpro warned about possibly “dangerous” permissions required by the devices, such as the ability to install apps.
It isn’t just Clean Master that’s been watching over users’ Web activity, according to Cirlig. Three other Cheetah products—CM Browser, CM Launcher and Security Master—apps with hundreds of millions of downloads have been doing the same, according to Cirlig. He probed the apps last year to discover the behavior before sharing his research with Forbes. He found Cheetah was collecting the information from devices, encrypting the data and sending it to a Web server— ksmobile[.]com. By reverse engineering that encryption process, he was able to determine what data was being harvested from users’ phones.
Cheetah says it is collecting users’ Web traffic and other data, but is doing so largely for security reasons. For instance, it’s monitoring internet browsing to ensure the sites users are visiting aren’t dangerous. It’s also doing so to provide certain services like suggesting recent trending searches.
As for accessing Wi-Fi network names, Cheetah told Forbes the reasoning was much the same: to prevent users joining malicious Wi-Fi networks. “We do not collect data to track users’ privacy and we have no intention to do that,” a spokesperson said.
The company says it complies with all local privacy laws, isn’t selling users’ private data and isn’t sending information back to a Chinese server, but to an Amazon Web Services system outside of the country. Cirlig, however, noted that the domain where the information was relayed was registered in China. And Cheetah itself is based in Beijing.
No good reason to collect data
Two independent security researchers and Cirlig say there are much more secure ways to collect the information. For websites and for Wi-Fi hot spots, they could turn the information into “hashes”—chunks of random letters and numbers that represent the websites. Machines can read them and check such hashes against databases of hashes of previously flagged malicious websites or Wi-Fi networks without the need for humans to view them. (Cheetah says hashes would complicate its security checks, as it needs to look out for subtle changes in Wi-Fi names, such as when a zero is change to an “o,” or previously unknown malicious sites.)
Graham Cluley, a security analyst who spent much of his career working for anti-virus companies, said such data collection was “clearly a concern.” There are ways for a security firm to check for threats without having to collect so much information, which could potentially be used to lessen users’ privacy.”
“Even if the apps themselves ask for permissions, I would hope that a security product would explain why it needed certain data and try to justify its data snarfle,” Cluley added.
What’s the potential for abuse?
Referring to the breadth of information being collected by Cheetah, it’d be possible to de-anonymize a user by looking across their Web browsing habits, their Wi-Fi access points and the identifying numbers of their phones, Cirlig said.
“The problem is that they’re correlating user behavior—what apps their audience uses, what sites they browse and so on—with specific data that can be very easily tied in to a real person behind that phone. . . . So even if you want to prevent any kind of tracking, it’s not enough to change your phone, but indeed the whole infrastructure that you’re using.
“Even if by some reason they discard all of the personal data on the server-side, the frighteningly huge install base still allows them to leverage their depersonalized data in a Cambridge Analytica-style.”
White Ops said it informed Google about the behavior back in December. In February, Cheetah discovered its Google Play Store, AdMob and AdManager accounts had been suspended.
Cheetah, which has been listed on the New York Stock Exchange since May 2014, is appealing Google’s decision and claims to be working with the tech giant on addressing its concerns. If it doesn’t find a way back onto Google Play, the ban will make a serious dent in its revenues. In the first nine months of 2019, nearly a quarter of Cheetah Mobile’s revenue came from Google-hosted services.