Moplus SDK Issues Extend to Non-Baidu Apps

Analysis by Jordan Pan

We recently discussed both the backdoor-like behavior of the Moplus SDK and the related Wormhole vulnerability. Because the Moplus SDK was developed by Baidu and not publicly accessible, we initially thought the problem was limited to Baidu apps. Our latest research suggests that popular non-Baidu apps are also affected.

The growing impact

Our scanning identified more than 14,000 samples of various mobile apps that were affected. These included multiple samples for identical apps (as identified by their package name). Samples for a total of 684 apps were found to be affected, including popular apps like Baidu Map and Baidu Searchbox. The table below shows the 20 mobile apps with the most vulnerable samples identified in the wild:

Package Name Highest Version Samples Gathered 6.1.2 1576 7.9.1 1398 8.7.0 1307 1140 6.6.2Beta 1100 8.2.2 777
com.hiapk.marketpho 715 3.3.10 690 642 6.0.1 458 4.0.0 452
com.mfw.roadbook 5.8.6 417 6.0.7 407
com.ifeng.newvideo 6.9.6 392 7.9.0 381
com.quanleimu.activity 6.1.1 329 322 318 3.4.6 301
air.fyzb3 5.7.3 286

Table 1. Apps with most vulnerable samples

Affected app stores

Most of the Baidu apps available on Google Play no longer have the vulnerable code. However, there is one app (Baidu Music) that contains the code in question. According to information from  Baidu, they do not maintain it anymore, and the app will be taken down from Google Play next week. We also found another third-party app (央视影音) that remains vulnerable.

App Name Package Name Downloads
百度音乐 500,000 – 1,000,000
央视影音 cn.cntv 100,000 – 500,000

Table 2. Apps on Google Play with vulnerable code

For apps downloaded via the Baidu app store “百度手机助手”(, the most popular affected app was downloaded more than a billion times.  The top 20 downloads are listed below, with official Baidu apps bolded. Official apps from sources other than Baidu are in italics.

App Name Package Name Downloads (millions) Highest version
手机百度 1,080 6.0.1
百度地图 500 8.7.0
百度浏览器 430
百度贴吧 280 6.1.3
百度视频 260 7.9.1
爱奇艺 180 6.1.2
百度输入法 170
百度手机助手 170 6.6.2Beta
百度云 59.54 7.9.0
hao123 47.20
91桌面 44.05 7.2
汽车之家 com.cubic.autohome 35.58 4.5.1
汽车报价 com.cubic.choosecar 34.44 3.9.0
凤凰视频 com.ifeng.newvideo 28.03 6.9.6
风云直播 com.fy.zbapp 27.05 5.6.3
途牛旅游 16.45 6.0.7
百度news 16.40
百姓网 com.quanleimu.activity 15.35 6.1.1
央视影音 cn.cntv 11.71 5.4.2
数米基金宝 7.77 5.0.0

Table 3. Twenty most downloaded apps from Baidu with vulnerable code

Solutions and Best Practices

Baidu is working to upgrade the apps in question to remove any vulnerable code. We recommend that users upgrade to the latest versions of installed apps to protect their devices against this threat. Installing a security solution can also protect their devices against any threats that may try to exploit security vulnerabilities.

Trend Micro protects users via Trend Micro Mobile Security, which detects apps that contain the vulnerable SDK code as ANDROIDOS_WORMHOLE.HRXA before it can be installed on the device. Its app virus scanner feature can scan any installed apps to filter out malicious apps.

 Cooperation with Baidu

We have been in touch with Baidu to help resolve this situation. The official reply from Baidu states that they are working on three specific items to help secure users:

  • The code in question has been removed from the latest versions of official Baidu apps. As of October 30, only three apps were still affected: Baidu Maps, Baidu Input Method and Baidu Translate. Updates for these apps were released by November 4.
  • Other apps on Google Play which are no longer being maintained will be taken down.
  • Baidu is reaching out the developers of other apps that were built with the Moplus SDK in order to ensure that these apps are updated.

Read more: Moplus SDK Issues Extend to Non-Baidu Apps

Story added 6. November 2015, content source with full text you can find at link above.