So how was your weekend? Good, good. Mine? Pretty uneventful, really. I did find out that an Android app that I’ve been using for years has been phoning home to China, but other than that…

The app in question is ES File Explorer, currently boasting some 300 million downloads in its Play Store listing. I’ve been using it for its remote file manager abilities, which basically turns my phone into an FTP server so I can transfer large files wirelessly over my home network. Little did I know that the app was also transmitting data back to a Chinese server at the same time.

But now I do, and it’s all thanks to some forum threads and my new favourite app.

Unknown Folder “baidu”

This all started with a thread on the Sony Xperia Care Forums that I came across last week. Honestly, the original idea for this post was to warn prospective Sony buyers about potential spyware in the My Xperia app. From that thread:

To sketch the magnitude of the problem: potentially, the Chinese government can: Read status and identity of your device

Make pictures and videos without your knowledge

Get your exact location

Read the contents of your USB memory

Read or edit accounts

Change security settings

Completely manage your network access

Couple with Bluetooth devices

Know what apps you are using

Prevent your device from entering sleep mode

Change audio settings

Change system settings All of the above can potentially be monitored and managed remotely via internet WITHOUT YOUR KNOWLEDGE OR PERMISSION!

Apparently the culprit is a folder in the internal (root) storage of Xperia devices called “baidu”. If you didn’t know, Baidu is the Chinese search giant that’s widely rumoured to have close ties with the PRC government. Hold that thought…

The proof that Sony was leaking data to Chinese servers was proved with a screen grab from an app I had never heard of, OS Monitor—it’s available on both the Play Store and F-Droid. Since F-Droid only hosts apps with some sort of open-source license, I figured it was legit. Best part of all? It doesn’t require root.

baidu.cuid

Back to Baidu, I had noticed a file in the internal storage of my Nexus 5 called “baidu.cuid”. A bit of searching yielded a thread on XDA with other Nexus owners also in possession of this mystery file. The consensus seems to be that ES File Explorer is to blame. From that thread:

To those that thought it *might* be ES File Explorer – I salute you. My research: I deleted the directory and tried a bunch of apps to try and find the culprit. Then I did a root search of my phone for the word “baidu.” I used CM11’s file explorer rather than a 3rd party app. Here’s what came up: In folder /data/data/com.estrongs.android.pop/shared_prefs is a file: __Baidu_Stat_SDK_SendRem.xml. When I look at the XML it’s pretty simple. It’s sending a logfile. I don’t know what it’s sending a log of-that bothers me. I also did a little more background research. Apparently one of Baidu’s founders is an angel investor in EStrongs. I hate to say it, but this might compel me to stop using ES File Explorer even though it’s a great app…

For your reference, here are the contents of the XML file on my device:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>

<map>

<int name="timeinterval" value="24" />

<string name="cuid">|077024260485253</ string>

<long 3947ECD933FCB2F4F91AB27AEE2A34 8D name="lastsendtime" value="1415026434602" />

<string name="mtjsdkmacss"> qU7242VmtgqdqpefypCliw==</ string>

<string name="cuidsec"> WTUMQrCjbexVl0YepOKIUd7mCsyLmA RNinh5Cm28RQCYwTvuRxLO51ktKMfZ czzApSx3piqrtcuuN25IcN2bNA==</ string>

<boolean name="onlywifi" value="false" />

<boolean name="exceptionanalysisflag" value="false" />

<int name="sendLogtype" value="1" />

</map>

Someone smarter than me will have to figure out exactly what’s going on here. But thanks to OS Monitor I can at least confirm that ES File Explorer is indeed connecting to a server in Beijing:

Again, I can’t say exactly what is being shared here, but the fact that an app with access to everything on my device and my home network is making a remote connection without my express consent is enough for me to stop using it. Immediately.

If you suspect that there may be spyware on your Android device then OS Monitor is your new best friend.

Further Reading:

Xperia Care Support Forum: Unknown folder “baidu”

XDA Developers: What is baidu folder for?

Google Play Apps: OS Monitor