Posted on by Karan Shah

Here’s what data CM Browser stores in the background

The lightning-fast browser from everyone’s favorite developer Cheetah Mobile is in the news yet again, and for all the very wrong reasons! Twitter user, Elliot Alderson (likely an alias), has shared a thread where he breaks down the CM Browser APK to reveal the amount of shadiness going on in the background of the app.

Deceptive advertising and flagged as malware

In the description, it said “#1 antivirus engine (rated by AV-TEST)” which is a lie. The AV-TEST best Android security 2016 award had been given to Bitdefender and . And what is even more ironic is that their app is in fact flagged as malware by VirusTotal.

CM Browser flagged as malware by VirusTotal

Blocked ads and injecting your own

The description page on the Play Store says that CM browser features an Ad Blocker. It is supposed to block annoying pop-ups and ads so that you enjoy “clear and clean browsing”. However, you see this on the service list:

nativesdk.ad.common.service.AdPreloadService

The intent is quite clear, it serves you their own ads.

Asking for system permissions

The first thing that you see on opening the AndroidManifest is that the app is asking for 3 permissions which are granted only for system apps. Why on earth would a web browser need to mount/unmount my file system?

What’s on my device? CM knows!

The CM Browser is listening to PACKAGE_ADDED, PACKAGE_REMOVED, PACKAGE_CHANGED and PACKAGE_REPLACED intents, in order to map your app usage history. It knows what you install/uninstall.

Listening to app installs/uninstalls

Not only that, they also listen to android.hardware.action.NEW_PICTURE which means that they know when you click a new picture too.

Listening for new pictures

All your viewing history is ours: CM Browser

In Favorites.java, there is a list of adult websites, which is added to a HashMap in the constructor. This is a privacy violation, and selective monitoring of the user’s habits as well.

Even if you delete your browser history, you can find the last visit URL in clear in a shared preferences file. They also store your browser history in plain text in browser.db, bypassing incognito mode too!

More tracking features

The AppExistTrackingReceiver is listening to a multiple intent: USER_PRESENT, CONNECTIVITY_CHANGE. On the onReceive method it will start the KBrowserService if the device is connected to the network and the last upload is older than 6 hours.

The KeepAlive service

In simpler words, this is to facilitate better tracking if you use apps that “boost” battery. Well, CM themselves offer plenty of those apps as well!

On the OnCreate method of KBrowserService, it registers a BroadcastReceiver which listen to SCREEN_ON and SCREEN_OFF intents. A lot of old-school malware used to do this.

Monitoring user’s screen locking habits

If you still don’t believe me you can take a look at the decompiled source code here on GitHub.

If you are looking for a real alternative, we suggest you take a look at Firefox Focus.

Firefox Focus: The privacy browser
Firefox Focus: The privacy browser
Price: Free

A key list of its features are:

  • Blocks a wide range of common Web trackers without any settings to set
  • Easily erases your history — no passwords, no cookies, no trackers
  • By removing trackers and ads, Web pages may require less data and load faster

Or, you know, you could always use Chrome…

Source:  Twitter (@fs0c131y)