How To Find Spyware On Your Android Device

OS Monitor

So how was your weekend? Good, good. Mine? Pretty uneventful, really. I did find out that an Android app that I’ve been using for years has been phoning home to China, but other than that…

The app in question is ES File Explorer, currently boasting some 300 million downloads in its Play Store listing. I’ve been using it for its remote file manager abilities, which basically turns my phone into an FTP server so I can transfer large files wirelessly over my home network. Little did I know that the app was also transmitting data back to a Chinese server at the same time.

But now I do, and it’s all thanks to some forum threads and my new favourite app.

Unknown Folder “baidu”

This all started with a thread on the Sony Xperia Care Forums that I came across last week. Honestly, the original idea for this post was to warn prospective Sony buyers about potential spyware in the My Xperia app. From that thread:

To sketch the magnitude of the problem: potentially, the Chinese government can:

  • Read status and identity of your device
  • Make pictures and videos without your knowledge
  • Get your exact location
  • Read the contents of your USB memory
  • Read or edit accounts
  • Change security settings
  • Completely manage your network access
  • Couple with Bluetooth devices
  • Know what apps you are using
  • Prevent your device from entering sleep mode
  • Change audio settings
  • Change system settings

All of the above can potentially be monitored and managed remotely via internet WITHOUT YOUR KNOWLEDGE OR PERMISSION!

Apparently the culprit is a folder in the internal (root) storage of Xperia devices called “baidu”. If you didn’t know, Baidu is the Chinese search giant that’s widely rumoured to have close ties with the PRC government. Hold that thought…

The proof that Sony was leaking data to Chinese servers was proved with a screen grab from an app I had never heard of, OS Monitorโ€”it’s available on both the Play Store and F-Droid. Since F-Droid only hosts apps with some sort of open-source license, I figured it was legit. Best part of all? It doesn’t require root.


Back to Baidu, I had noticed a file in the internal storage of my Nexus 5 called “baidu.cuid”. A bit of searching yielded a thread on XDA with other Nexus owners also in possession of this mystery file. The consensus seems to be that ES File Explorer is to blame. From that thread:

To those that thought it *might* be ES File Explorer – I salute you. My research:

I deleted the directory and tried a bunch of apps to try and find the culprit. Then I did a root search of my phone for the word “baidu.” I used CM11’s file explorer rather than a 3rd party app. Here’s what came up: In folder /data/data/ is a file: __Baidu_Stat_SDK_SendRem.xml. When I look at the XML it’s pretty simple. It’s sending a logfile. I don’t know what it’s sending a log of-that bothers me.

I also did a little more background research. Apparently one of Baidu’s founders is an angel investor in EStrongs. I hate to say it, but this might compel me to stop using ES File Explorer even though it’s a great app…

For your reference, here are the contents of the XML file on my device:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<int name="timeinterval" value="24" />
<string name="cuid">|077024260485253</string>
<long 3947ECD933FCB2F4F91AB27AEE2A348D name="lastsendtime" value="1415026434602" />
<string name="mtjsdkmacss">qU7242VmtgqdqpefypCliw==</string>
<string name="cuidsec">WTUMQrCjbexVl0YepOKIUd7mCsyLmARNinh5Cm28RQCYwTvuRxLO51ktKMfZczzApSx3piqrtcuuN25IcN2bNA==</string>
<boolean name="onlywifi" value="false" />
<boolean name="exceptionanalysisflag" value="false" />
<int name="sendLogtype" value="1" />

Someone smarter than me will have to figure out exactly what’s going on here. But thanks to OS Monitor I can at least confirm that ES File Explorer is indeed connecting to a server in Beijing:

ES File Explorer Phoning Home to Beijing

Again, I can’t say exactly what is being shared here, but the fact that an app with access to everything on my device and my home network is making a remote connection without my express consent is enough for me to stop using it. Immediately.

If you suspect that there may be spyware on your Android device then OS Monitor is your new best friend.

Further Reading:

Xperia Care Support Forum: Unknown folder “baidu”
XDA Developers: What is baidu folder for?
Google Play Apps: OS Monitor

43 thoughts on “How To Find Spyware On Your Android Device”

  1. “Again, I canโ€™t say exactly what is being shared here, but the fact that an app with access to everything on my device and my home network is making a remote connection without my express consent is enough for me to stop using it. ”

    Then I’m assuming you’re going to stop using all Google services now?

    1. No, why would you assume that?

      Obviously I would expect Google to be able to carry data across the Internet to my phone, just as I would not expect my file browser to need this same functionality.

    1. Yes. Hello, fellow redditors, I am also one of you!

      I was also, by the way, the person who posted Estrong’s feedback to the Howard Forums. But it still doesn’t sit well with me that a file browser, on my home WiFi network, is pinging a remote server. That the server in question happens to be in China is beside the point, at least for me.

      FTPDroid and the native file browsers on CM and SlimKat have replaced ES on the Android devices in this house. But if people reading this still want to keep using it I’m not going to stop them.

      1. Hi, if CM file is what you are using,then you should know that they are associated with Baidu,or were spun off. Still you may want to check its connections. I’m guessing the app is by Cheetah Mobile that is. The problem with moist apps in playstore is unless you pay for something,then knowing the country of origin is difficult. Most Chinese apps are free because Google did not allow them to monetize untill now I think. So one needs to do a little research.

  2. So you have no issues of Google and Facebook spying on you and sharing this data with your government, but freak out over Baidu analytics pings just because the server is in China? Just because the company is Chinese so it’s “spyware” automatically?

    I can see Western propaganda is working really well.

    1. I think I’ve made my stance on this particular app clear. I’m not really interested in arguing whether ESFE is spyware or not; I’ve already uninstalled it and moved on.

    2. I found s similar connection to China on my Android tablet. It is also from a File Manager app and it CANNOT be uninstalled.

    3. Yeah, sending “anonymous” data over to servers in a totalitarian country that last I recall crushed living demonstrators under tanks (namely China) worries me. A lot.

      1. Hi, I found a good Android file manager, that the developer is from Sweden. It has Google analytics. Based on a Windows file manager style,but works great. Free and ad free too. There are free add-ons or extensions for Drive,Dropbox,and other file tranfers. Also has a good media player built in. Total Commander app is in playstore,and has been around for a long time. Read the reviews,and permissions are acceptable. Check it out.

  3. Using the Privacy settings built into Cyanogenmod, it’s child’s play to block ES from getting location data. I believe you can also use this system to stop the apps from phoning home.

  4. Considering this was written back in November… has ESFE changed their practices? I’m not seeing any communication between ESFE and Baidu. I’m not blocking anything either.

      1. That’s a nice app though (OS Monitor). It looks like Amazon is communicating to the Netherlands. My guess is that some of the larger profile apps could be accessing a server cluster: fastest available connection at any given time. Not sure if that was the case with ESFE but I still don’t see any communication under it. I do have the Baidu folder as well.

      1. Here’s a thought, do you have ESFE set to automatically check for updates? (Settings / Update Settings)

        I just enabled Auto Check on ESFE and finally saw the connection to China. Soon as I unchecked that setting, connection is gone.

        Kinda surprised no one thought to look in to ESFE settings a little closer ๐Ÿ™‚ If I had to guess, ESFE (including the China communication) is harmless.

  5. The File Manager 1.0 app on my Android tablet also has permission to access NFC. That is REALLY ODD and it doesn’t seem particularly harmless to me. I’m still searching for a way to Uninstall this app.

      1. Hi,I googled the issue and apparently you can transfer files to another device using nfc.

  6. Greetings,

    I found out about Es file by another route,even though I have os monitor. I recommend (Lostnet no root firewall) you can block and monitor data connections,and for $.99 go pro with the ability to capture packets and analyze. There are several new NO ROOT firewall apps in playstore. But this one had minimal permissions. Two others permissions did not match the stated permissions at the bottom of playstore page,to the permissions asked for when you click the download tab. So,Lostnet is a safer choice,plus you can see what is going on in the background,like all the apps that are following your every move ,you know, to better serve you ads. Anyways,I still don’t know what information edge is sending,but like the author,just true fact that it connects to Baidu is enough for me to block the connection. In light of the fact that Baidu’s network was being used by the Chinese government to attck Github with a DDOS over the last week. And there are many other reasons to be cautious fo Chinese products,specifically because of their connections to the government. Many OEM’s have been caught with backdoors,and even pre-installed malware,adware,and spyware. They conveniently blame “unknown others in the supplychain” or claim ” it was a very good clone” by Xiaomi. See bluebox article. And Coolpad was found doing the same things. See Palo Alto networks,coolreaper. Both found by googling.

    I often asked why all these great Chinese apps were free,and found out that up intill recently,Google was not allowing them to monitize. But the biggest worry is all the permissions a security app,or file management app have access to on your phone. There are many risks most just don’t understand. Ps. Blocking the connection for Es file does not cause any problems with using the app,and it only communicates when you are actually in the app. Or as soon as you open it.

  7. While I applaud the attentiveness to apps and what they are actually doing, this particular case was not entirely thought out. There are far too many people out there who install apps without thinking twice of who created it, what it does, what access it has, etc. But at the same time one must remember that the Internet has no boundaries. If you use Facebook Messenger, you are often connecting to Dublin Ireland. If you use the Amazon app, you are often connecting to the Netherlands when submitting payments. These larger profile apps are no doubt running on a network designed for redundancy and in many cases this means globally.

    As I stated earlier in the comments, this “issue” with ES File Explorer is not an issue at all. The communication with Beijing is merely to check for updates. If this bothers you, get into ESFE Settings, Update Settings, and disable Auto Check. Your ESFE communication to Beijing will cease and everything will be right with your world. But by all means, keep using OS Monitor and keep looking for suspicious activity, but please dig a little deeper than a forum discussion or Google search on your findings.

    1. @Brian, stopping checks for updates is only one such connection. It seems you yourself did not explore settings far enough. The privacy statement accessible from setting mentions analytics and I confirmed after unchecking updates that ESFE still connects to Baidu.although this is a similar service that Google performs,your connection to China is what I take issue with,not the collection of supposed anonymous usage data. It is that true connection works both to and from that is concerning. But if you block the connection,the app still performs just fine. ESFE may be completely innocent,and Baidu as well,but the Chinese government IS NOT! So go read about the latest attack on github,and the fact that Google and Mozilla are revoking certs for CNNIC because of blatant violations. Analytics could be done by Google,(as they already are part of smart phone users lives) and then forwarded to any Chinese venders. I,and others should have done our homework before downloading this app,or any for that matter. But the web has nothing but praise for ESFE and rightly so,as it is very good at what it does. But they should have been more transparent about the connections it initiates.

      But even worse,are any apps with ad SDK’s because they are still operating in the background even though you are not using it. These banner ad SDK’s follow your activity most right after closing them,even by using the return function. So as the last commenter states,yes,it is virtually impossible to avoid the intrusive behavior’s,but we CAN take steps to mitigate them. Privacy and security issues are only going to increase,so the more information you have,the better we can protect ourselves.

  8. one should not simply believe that he can still use a “smart phone” without having companies or governments spying on him and getting whatever info they need, if we unistalled ES there will always be a way, we cant hide.
    Iam a privacy freak, but I use my phone knowing that they can get anything , anytime.
    Google have full permission for evey single thing, why we dont see anyone complaining? cause we cant uninstall Google, and nothing can make us get sure that they REALY respect our privacy.
    anyway the xml-if sent- is not shared to public, so not a big deal but Good thing to know.

    1. Hi,

      ES may not be spyware in the traditional sense of the word. But it does have privacy issue’s besides the ones I listed above. This study by Carnegie University Computer Labs gives ES File a grade of C, and the range is A-D only. Here is a link:
      They graded tens of thousands Android apps. Any app that comunicates using only http ,connects to servers in China,is vulnerable to a MITM (man in the middle) attack. That means malware can be silently delivered to your device. Which includes adware,spyware,and malware! The opo thread is lame to say the least,because no one has an idea what is going on in the background. Including the comment just before this one. I on thur other hand,have tested,and researched this issue for sometime now.

      And another thing,if you have any app,or PHONE that is not connecting over https to any server in China,,then you ARE vulnerable! The Chinese government has mandated that all software/hardware WILL have access designed into their products. And if someone wants to do business with China,they have to give up source code. Apple has already agreed to their terms. Others as well are giving into demands. So enjoy your phones!

  9. Hi all, if anyone still follows this,here is something that will raise your eyebrows. Remote access thru ES-FILE EXPLORER. this was for an older version,but I can find nowhere thhat it was fixed. And worse,the website CVE and NVD Nist are not showing anything,but the researcher who discovered it put up the research paper online probably because it HAS NOT been fixed,and is now blocked from being viewed on normal venue’s here is the link to the paper.

    I have written to them,and CVE for information on this,so will update if and when I learn more. Any normal vulnerability would show up on CVE as being patched,or not. Never seen one blocked before.

  10. I found the Chinese IP in my snort alerts as “Network trojan detected”

    After tracking it down, it was coming from my Android that has ESFE installed.

    It takes very little googling to find how much malware originates from the PRC…..

    No more ESFE on my devices…..

  11. I tried using X-Plore and ES File Explorer on Android. after making an SSH connection, I saw a suspicious login to the remote server with an IP address in India (which might not be accurate because IP addresses can be faked). This might be coincidental – and I cannot say which one (if either) sent my log in details to a third party … but I took remedial action on the remote server and uninstalled both Andriod Apps immediately.

  12. Thanks for you post. I am from Information security from past 7 years. I have also passion of computer forensics. So, Today I thought to enable root account on my android phone very first time to see background network activities. Fortunately, I found network activities as shown below :-

    tcp6 1 1 ::ffff: ::ffff: LAST_ACK

    I found this IP address is related to baidu

    Once, I found these all details then I search on the google to check if any other person have issue same like this. I found you website link and I read all above mentioned by you.

    And also I checked xml file mentioned by you and interval time was 24 there. This app seems suspicious to me.


  13. I wondered why/how ES File Explorer could afford to give away the farm with no ads or upgrades for so long. I removed it and when with FX File Explorer, made in the USA by ‘Mericans. Turns outo to be better anyway.

    1. ES File Explorer cannot be trusted and has been deleted. Thank you all for you info. What does Google hve to say about it. Google must know all these things and also cannot be trusted. Very emabarassing for an American and an American Co.

  14. Baido is the Chinese Google, so it kind of makes sense, given how much Google tracks it’s users. Anyway I deleted the app because it’s too slow.

  15. All these discussions and opinions are totally moot. They have their fingers into everything. They can know whatever they care to look at, me, you, Mick Jagger, the mailman. It’s all at their fingertips. But you know what? That’s a good thing. Why? Because it just doesn’t matter any more. Fuck it. If you have something to hide give it up. There are 300 million of us in the US. If the Chinese invade are they really gonna come rolling down your street and call you out? You’re not that important. So relax. Breathe deeply.

  16. I’ve had es file explorer for as long as I can remember, even bought the pro. Come to find out the underlying connection had been inputting malware and Trojans while setting up shop around all my devices and networks. Over the last 8 months I’ve been trying to get them out of my domain out of my tablets and pc’s. They’ll change your apk’s your google frameworks and just about everything about your device to go un noticed. They are especially fond of Qualcomm roots and can easily incorporate it if you come across a Chinese device like huawei. The data in general on all devices travel through a few other countries that don’t have data privacy restrictions protecting the data to the fullest extent. In the privacy acts google states that they’ll do what they can to protect our data more less.hell I’ve got Chinese Taiwan and a few other gov root certs now I can’t get rid of. My devices are rooted for their control, I can’t use root. On the androids anyways. I’ve been forced out of windows because I recovered my hard drives that contained info on them about 100x over collecting more data as I went. Now days I’m stuck in KDE and Linux learning code and trying to clean the preseed installations that keep coming on any install. (No matter how I partition or wipe a HD or where the I so comes from) I’m trapped in a client host situation my ISP can’t stop nor can I with my router controls. They always get back in. My emails are spammed to death by an email assassin bash. Well anyways, I’ve gone to google and theyre in the works helping me compile data on the assailants and es which keeps getting data access even though its not installed. I’ve got one PC clean and consistantly logging my other pc’s in a hidden shell. I think I’ll be coming out with a sum of cash here soon ๐Ÿ˜‰

    1. Hi Synister,

      I have no doubts about the infections on all your devices, but, the fact that you mention being rooted by them leads me to believe that you were infected by any number of auto-rooting malware discovered over the last couple years. But, ES File may likely have been the door the malware used to enter. I think you will find this report/research, done by Citizens Lab in Toronto Canada, very helpful, or at least, enlightening.
      I had been warning about the insecure connections Chinese apps, we’re making to servers inside China. Many utility apps like browsers, file managers, mobile security, have some of the largest permissions sets making them vulnerable if they were used to assist a malware infection. You may be aware of China’s censorship, and the national firewall called ” the Great Firewall of China”. That means they can intercept any connections coming and going from that country. Now, hold that thought.

      Last year, there was a rather large DDoS attack on GitHub, and again, Citizens Lab to the rescue. Their research discovered China as the culprit. Because the code shared some characteristics with the Firewall, they named the new code “Great Cannon”. This cyber weapon can be used in lots of ways, especially when combined with the Firewall. Here’s that report:
      citizens lab, great cannon

      And another DDoS attack last year came from over a half million mobile devices, smart phones, but pointed right back at Baidu, (who owns ES File Manager, and hundreds more apps) you can read about that here:

      I hope you subscribed to this thread, because I really would like to keep up with how your situation ultimately gets resolved. But, in case you don’t know it, most auto-rooting malware requires the device be wiped, and the ROM be reinstalled. If your devices are beyond OS updates and security patches, you should wipe them and install Cyanogen OS for your Android devices. They have lots of up to date ROMs for many devices, but that’s what it’ll take, if I understood you correctly. Good luck, and let us know how you make out.

  17. I want to start by saying I feel as if I’m always two years behind whenever I see these posts they’re all from 2015/2016 but this is currently still happening to me right as of May 28th 2017 I definitely understand what you’re going through and I think after what I have to say you’ll probably agree that my situation is even worse. Stalkers have corrupted as of today 56 (fifty-six) laptops 23 tablets 22 smartphones 13 Apple devices two Android notebooks 9 pc windows and for Chromebooks. What’s most bizarre about this entire situation is That No One Believes Me I have Trace it back to the EZ file application as well as super fish servers since they had put pre-installed software in a Lenovo laptop that I was given for Christmas 2014. I literally walk into a Best Buy, Walmart make that any computer store and II that I pressed power without even putting my name in the device they’re already on it. This is gotten even more aggressive then just the destruction of equipment they’ve gotten me fired from the last three employer’s they took down one of my employers servers for 3 days then as I was trying to show my boss McAfee Stinger program was showing pages of errors and how Windows was not able to update drivers in the headset and trying to tell him that is where the exploit was. When I applied for Sunrun Solar they took the company down literally 4 24 hours They told me that they couldn’t get in contact with me by phone or email and they needed an open line of communication for the position I was applying for and that’s the reason why they couldn’t hire me. I would have made at least $250,000 a year there next became fleet manager at Bell Road Toyota. This is where they got into the system there and took the Wi-Fi down disabled me from getting automobiles out through the fingerprint scanner then when Toyota went to Wi-Fi thermostat they froze the internet room 250 degrees so all my colleagues were literally wearing jackets you knowing exactly what’s going on. When the text came out and replace the thermostat said everything’s good to go it just began clicking down in degrees the second said he left period now that all scenes like jokes and just harassing someone but it gets even worse. So now we’re at 3 employers I then emailed my friend and ask him what he thought of my resume but he said what did I think of squares and circles and triangles so I knew it was encrypted I Found nigori running on this Chromebook nigori encryption. Then they disabled me from filing unemployment or actually had misled me to believe that I had completed all the necessary forms for unemployment as well as nutrition assistance. They have literally destroyed my life spamming my friends on Facebook to the point where I almost deleted my own account just because I thought that that was the primary source and I didn’t want any of my friends going through any of that harassment like I have been going through. And as embarrassing as this next part is she say and to talk about I feel that I must. I saw an apartment thread running in the registry in the binary of a Toshiba right before I moved into this new apartment period so I knew that they tracked what I was going to live next at that point they took the internet down the Wi-Fi down at the apartment complex then after telling my father about this and asking for advice I get a knock on my door at 12:45 a.m. about 3 days later. I had 4 loads of laundry and and started thinking to myself who the heck knows that I live here I just moved in maybe someone saw someone taking some of my clothes, that wasn’t the case period when I open the door to police officers came rushing at me at gunpoint. Well when I saw them pulling guns out I started shutting the door I don’t do anything illegal but just don’t like anyone pointing a gun at me right when I open my door anyways well they manage to get one leg in and then the two of them Force the door open then twisting both arms behind my back breaking my nose I asked them if I was under arrest they said no you just need to come with us. At that point I’m the other officer ran into my room with his gun drawn I lifted the police officer that lives on my back up and then carried him over to the other cop with his gun drawn and ask them what in the hell was going on what if I had my girlfriend in there what right do they have Arginine to my rooms at gunpoint. Anyways my left wrist will never be the same like the Cuffs are on so bad that I was dripping blood when the cops were taking off me. I asked him where we were told me that we are at the insane asylum the mental health facility or Mental Health institution. I’ve never been to a psychologist North psychiatrist I’m a very educated man graduated with a 4.2 on the chess club, proposed Bill to Congress Etc so then they said the lineup for meds in a very aggressive tone and I went to the nurse and said I do not take any medications she said okay smart-ass what medication are you supposed to be taking that your doctor prescribe you and you’re not taking I responded with I don’t have a doctor period she turned her head around and looked at the other nurse and said what do we give him then she turned back and looked at me with a bewildered look on her face I put 200 in a calendar lean closer to her and say give me a Valium and a Zanny bar. She said you seem so anxious and we don’t have Zanny bars or Valium. Add that point time I noticed an African-American gentleman dragging one foot sideways which is shoulder drop down with one eye looking directly at the ceiling and the other eye looking at the floor as he slowly past the nurse station with everyone seeing him through the tempered glass I look back at the nurse and I said I’ll have what he’s having. I apologize for going on about this but they ended up keeping me there for 18 days forcing injections of Risperdal for I was to leave my cell. I will say this I’ve been to County Jail even on the Chain Gang in Joe Arpaio Tent City but where they put me was truly a frightening situation I woke up the first day with a pencil pushed about a quarter inch into my neck by a 6ft 5 310-pound African American. That my friends is where the truly truly crazy people reside and with absolutely no guards just a couple nurses it’s a little disturbing. Anyways the people of taking me to the point where I have absolutely no money just enough money for full tank of gas a roll of duct tape, a bottle of whiskey and I’ll steal some neighbors hose., then I’ll Roundup as many pharmaceutical pills that I have laying around and sleepers and probably head up Beeline Highway just drive off the side of the road into some wooded area take a handful of those pills washing down half bottle of Jack write my family letters. I don’t know if anyone’s seen the movie Red Dawn but I feel as if I’m the father in The prisoner camp and as Patrick Swayze and Charlie Sheen leave him at the chain linked fence, he yells “boys, (slight pause as a tear forms in his eye) Boys! Avenge me!! avenge me”. On a last note if anyone wants to see some of the punishment and daily torture that I’ve been going through you can type in YouTube, Big thanks to Lenovo for pre-installed spyware as well as I wanted to give a huge thank you two the gentleman that started this thread I apologize for writing too much and curious did you ever get a s*** ton of money?

Comments are closed.