App with 1 billion downloads found harvesting users’ data

As part of continuous efforts to manage users’ privacy violations, Google removed nearly 600 apps from its app store. Between those was Clean Master, a software granting privacy and antivirus protection. Ironically, security researchers found the app uncontrollably harvesting private users’ data. With over 1 billion downloads, the Clean Master is still successfully operating on tons of devices.

Security-centered, but harvest data

Gabi Cirlig, a security researcher at cybersecurity company White Ops, provided real proof of Clean Master collecting users’ data in all possible manner. According to a release by Forbes, aggregated data includes users’ search engine requests, websites they visit, and even their Wi-Fi network names. Surprisingly, the app collects such data when the user enables the in-app “private” mode, which promises anonymous browsing. Referring to the breadth of data collected, Cirlig proved that it is possible to completely de-anonymize a user.

Clean Master belongs to a Chinese tech company called Cheetah Mobile. The app development firm owns other ‘security-dedicated’ products – CM browser, CM launcher, Security Master, CM File Manager, to name a few. The latter, CM File Manager, was also removed from Google Play Store in 2018, due to breaching Google’s policies on ad fraud. All of the Cheetah-owned apps have millions of installs. According to the researcher, all of them successfully harvested users’ data without their consent. Upon investigation, it appeared that the apps collect the data from devices, encrypt it, and send it to a domain – ksmobile[.]com. By reversing the encryption process, Cirlig was able to discover what exact information Clean Master aggregates from users’ devices. Besides browsing history and Wi-Fi access names, the researcher was able to identify users’ phone numbers.

“I can’t know for sure what they’re infringing upon. It’s just that they are playing ball in a gray area, and it’s up to researchers like us to stand up and call foul whenever they think that they cross the line. I personally think that they cross the line.”, says Gabi Cirlig.

Denies the allegations 

Ironically enough, Cheetah Mobile claims that collecting data is necessary to keep users safe. For example, monitoring users’ browsing habits is to ensure that the sites they visit aren’t malicious. Also, they are doing this to offer relevant services to its customers, such as related suggestions for new searches. As for accessing Wi-Fi access point names, the company proves it pretty much likewise: to secure users from joining unsafe public networks.

The company claims that it fully complies with local privacy legislation. That they aren’t selling the data or transferring it to Chinese servers. Instead, they use Amazon Web Services, which is not a China-based company. However, Cirlig observed that Cheetah passes the collected information via domain registered exactly in China.

The company is appealing Google’s decision over wrong allegations. Each year since 2014, Cheetah lists on the New York Stock Exchange, so Google Play Store’s ban can dangerously cut it’s revenues. Nearly a quarter of Cheetah’s Mobile income is from Google-hosted services. If Clear Master doesn’t find a way back to Google, it might even mean the end of the company. Would they be missed? Probably not.

Such data collection is unnecessary 

Gabi Cirlig is confident that there are many other ways to aggregate users’ information without compromising their privacy. Cheetah wouldn’t breach any privacy laws if they turned collected data into “hashes.” The data can be changed to unreadable, gibberish code, which contains arbitrary letters and numbers. This eliminates the possibility of tracking back sensitive information. Machines read those hashes and check them against databases of flagged dangerous sites or Wi-Fi names that also turns in to gibberish codes. Security researchers agree that such a method is indeed complicated, but yet, effective and anonymous.