14 DAY TRIAL // A report from the Citizen Lab at the University of Toronto reveals that the popular QQ Browser is collecting sensitive user information and sending it in an insecure manner to its servers.
QQ Browser is yet another of those heavily customized Chromium clones that are distributed by companies that have no reason to distribute browsers. In this case, it's Chinese Internet giant Tencent, who provides its QQ Browser for the Windows, Mac, Android and iOS platforms.
According to the research group at Citizen Lab, the Android and Windows versions of this browser are collecting a trove of data from its users and have design flaws that expose this information to prying eyes while in transit.
QQ Browser collects information on its users, uploads it to Tencent servers
For starters, the Android version is collecting data such as the user’s search terms, browsing history, nearby WiFi networks, and the user's device IMSI and IMEI codes.
For the Windows version of QQ Browser, the app was caught collecting data such as the user's browsing history, hard drive serial number, MAC address, Windows hostname, and Windows user security identifier.
For both the Android and Windows versions, this data is transmitted to Tencent servers without encryption or with easily decryptable encryption.
Additionally, the browser's update process was also flawed, allowing a skilled attacker to intercept the update request and bundle malicious software with the QQ Browser update package.
The researchers notified Tencent, who released new versions that addressed only a series of these flaws. Additionally, the University of Toronto also sent a letter to Tencent leadership, kindly asking for the reasons the company has been engaging in these user data collection practices.
The reason this happens may be rooted in Chinese legislation
Based on their own outside opinion on this situation, privacy and security experts at Citizen Labs say this may be happening because of legislation that forces all Chinese tech companies to cooperate with local law enforcement.
The new Chinese anti-terrorism law that came into effect at the start of the year says that all telcos and ISP must provide in-depth details on their users to aid criminal investigations.
Knowing how Google was ran out of China because of the government's strict censorship and cooperation laws, many of these Chinese companies have to collect this type of in-depth information on their users to ensure they don't anger Beijing. In a strictly controlled business environment like the one in China, any of these tech giants could end up replaced on the market by a more cooperating service, just as it happened to Google.
This new Citizen Lab report marks the third incident in which the organization has discovered data exfiltration behavior in a popular Chinese-based browser. The researchers published similar findings about the UC Browser in May 2015, and the Baidu Browser in February 2016.