The lightning-fast browser from everyone’s favorite developer Cheetah Mobile is in the news yet again, and for all the very wrong reasons! Twitter user, Elliot Alderson (likely an alias), has shared a thread where he breaks down the CM Browser APK to reveal the amount of shadiness going on in the background of the app.
Deceptive advertising and flagged as malware
In the description, it said “#1 antivirus engine (rated by AV-TEST)” which is a lie. The AV-TEST best Android security 2016 award had been given to Bitdefender and Sophos. And what is even more ironic is that their app is in fact flagged as malware by VirusTotal.
Blocked ads and injecting your own
The description page on the Play Store says that CM browser features an Ad Blocker. It is supposed to block annoying pop-ups and ads so that you enjoy “clear and clean browsing”. However, you see this on the service list:
The intent is quite clear, it serves you their own ads.
Asking for system permissions
The first thing that you see on opening the AndroidManifest is that the app is asking for 3 permissions which are granted only for system apps. Why on earth would a web browser need to mount/unmount my file system?
What’s on my device? CM knows!
The CM Browser is listening to PACKAGE_ADDED, PACKAGE_REMOVED, PACKAGE_CHANGED and PACKAGE_REPLACED intents, in order to map your app usage history. It knows what you install/uninstall.
Not only that, they also listen to android.hardware.action.NEW _PICTURE which means that they know when you click a new picture too.
All your viewing history is ours: CM Browser
In hFavorites.java, there is a list of adult websites, which is added to a HashMap in the constructor. This is a privacy violation, and selective monitoring of the user’s habits as well.
Even if you delete your browser history, you can find the last visit URL in clear in a shared preferences file. They also store your browser history in plain text in browser.db, bypassing incognito mode too!
More tracking features
The AppExistTrackingReceiver is listening to a multiple intent: USER_PRESENT, CONNECTIVITY_CHANGE. On the onReceive method it will start the KBrowserService if the device is connected to the network and the last upload is older than 6 hours.
In simpler words, this is to facilitate better tracking if you use apps that “boost” battery. Well, CM themselves offer plenty of those apps as well!
On the OnCreate method of KBrowserService, it registers a BroadcastReceiver which listen to SCREEN_ON and SCREEN_OFF intents. A lot of old-school malware used to do this.
If you still don’t believe me you can take a look at the decompiled source code here on GitHub.
If you are looking for a real alternative, we suggest you take a look at Firefox Focus.
A key list of its features are:
- Blocks a wide range of common Web trackers without any settings to set
- Easily erases your history — no passwords, no cookies, no trackers
- By removing trackers and ads, Web pages may require less data and load faster
Or, you know, you could always use Chrome…
Source: Twitter (@fs0c131y)