How To Find Spyware On Your Android Device

OS Monitor

So how was your weekend? Good, good. Mine? Pretty uneventful, really. I did find out that an Android app that I’ve been using for years has been phoning home to China, but other than that…

The app in question is ES File Explorer, currently boasting some 300 million downloads in its Play Store listing. I’ve been using it for its remote file manager abilities, which basically turns my phone into an FTP server so I can transfer large files wirelessly over my home network. Little did I know that the app was also transmitting data back to a Chinese server at the same time.

But now I do, and it’s all thanks to some forum threads and my new favourite app.

Unknown Folder “baidu”

This all started with a thread on the Sony Xperia Care Forums that I came across last week. Honestly, the original idea for this post was to warn prospective Sony buyers about potential spyware in the My Xperia app. From that thread:

To sketch the magnitude of the problem: potentially, the Chinese government can:

  • Read status and identity of your device
  • Make pictures and videos without your knowledge
  • Get your exact location
  • Read the contents of your USB memory
  • Read or edit accounts
  • Change security settings
  • Completely manage your network access
  • Couple with Bluetooth devices
  • Know what apps you are using
  • Prevent your device from entering sleep mode
  • Change audio settings
  • Change system settings

All of the above can potentially be monitored and managed remotely via internet WITHOUT YOUR KNOWLEDGE OR PERMISSION!

Apparently the culprit is a folder in the internal (root) storage of Xperia devices called “baidu”. If you didn’t know, Baidu is the Chinese search giant that’s widely rumoured to have close ties with the PRC government. Hold that thought…

The proof that Sony was leaking data to Chinese servers was proved with a screen grab from an app I had never heard of, OS Monitorโ€”it’s available on both the Play Store and F-Droid. Since F-Droid only hosts apps with some sort of open-source license, I figured it was legit. Best part of all? It doesn’t require root.


Back to Baidu, I had noticed a file in the internal storage of my Nexus 5 called “baidu.cuid”. A bit of searching yielded a thread on XDA with other Nexus owners also in possession of this mystery file. The consensus seems to be that ES File Explorer is to blame. From that thread:

To those that thought it *might* be ES File Explorer – I salute you. My research:

I deleted the directory and tried a bunch of apps to try and find the culprit. Then I did a root search of my phone for the word “baidu.” I used CM11’s file explorer rather than a 3rd party app. Here’s what came up: In folder /data/data/ is a file: __Baidu_Stat_SDK_SendRem.xml. When I look at the XML it’s pretty simple. It’s sending a logfile. I don’t know what it’s sending a log of-that bothers me.

I also did a little more background research. Apparently one of Baidu’s founders is an angel investor in EStrongs. I hate to say it, but this might compel me to stop using ES File Explorer even though it’s a great app…

For your reference, here are the contents of the XML file on my device:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<int name="timeinterval" value="24" />
<string name="cuid">|077024260485253</string>
<long 3947ECD933FCB2F4F91AB27AEE2A348D name="lastsendtime" value="1415026434602" />
<string name="mtjsdkmacss">qU7242VmtgqdqpefypCliw==</string>
<string name="cuidsec">WTUMQrCjbexVl0YepOKIUd7mCsyLmARNinh5Cm28RQCYwTvuRxLO51ktKMfZczzApSx3piqrtcuuN25IcN2bNA==</string>
<boolean name="onlywifi" value="false" />
<boolean name="exceptionanalysisflag" value="false" />
<int name="sendLogtype" value="1" />

Someone smarter than me will have to figure out exactly what’s going on here. But thanks to OS Monitor I can at least confirm that ES File Explorer is indeed connecting to a server in Beijing:

ES File Explorer Phoning Home to Beijing

Again, I can’t say exactly what is being shared here, but the fact that an app with access to everything on my device and my home network is making a remote connection without my express consent is enough for me to stop using it. Immediately.

If you suspect that there may be spyware on your Android device then OS Monitor is your new best friend.

Further Reading:

Xperia Care Support Forum: Unknown folder “baidu”
XDA Developers: What is baidu folder for?
Google Play Apps: OS Monitor

42 thoughts on “How To Find Spyware On Your Android Device”

  1. “Again, I canโ€™t say exactly what is being shared here, but the fact that an app with access to everything on my device and my home network is making a remote connection without my express consent is enough for me to stop using it. ”

    Then I’m assuming you’re going to stop using all Google services now?

    1. No, why would you assume that?

      Obviously I would expect Google to be able to carry data across the Internet to my phone, just as I would not expect my file browser to need this same functionality.

    1. Yes. Hello, fellow redditors, I am also one of you!

      I was also, by the way, the person who posted Estrong’s feedback to the Howard Forums. But it still doesn’t sit well with me that a file browser, on my home WiFi network, is pinging a remote server. That the server in question happens to be in China is beside the point, at least for me.

      FTPDroid and the native file browsers on CM and SlimKat have replaced ES on the Android devices in this house. But if people reading this still want to keep using it I’m not going to stop them.

      1. Hi, if CM file is what you are using,then you should know that they are associated with Baidu,or were spun off. Still you may want to check its connections. I’m guessing the app is by Cheetah Mobile that is. The problem with moist apps in playstore is unless you pay for something,then knowing the country of origin is difficult. Most Chinese apps are free because Google did not allow them to monetize untill now I think. So one needs to do a little research.

  2. So you have no issues of Google and Facebook spying on you and sharing this data with your government, but freak out over Baidu analytics pings just because the server is in China? Just because the company is Chinese so it’s “spyware” automatically?

    I can see Western propaganda is working really well.

    1. I think I’ve made my stance on this particular app clear. I’m not really interested in arguing whether ESFE is spyware or not; I’ve already uninstalled it and moved on.

    2. I found s similar connection to China on my Android tablet. It is also from a File Manager app and it CANNOT be uninstalled.

    3. Yeah, sending “anonymous” data over to servers in a totalitarian country that last I recall crushed living demonstrators under tanks (namely China) worries me. A lot.

      1. Hi, I found a good Android file manager, that the developer is from Sweden. It has Google analytics. Based on a Windows file manager style,but works great. Free and ad free too. There are free add-ons or extensions for Drive,Dropbox,and other file tranfers. Also has a good media player built in. Total Commander app is in playstore,and has been around for a long time. Read the reviews,and permissions are acceptable. Check it out.

  3. Using the Privacy settings built into Cyanogenmod, it’s child’s play to block ES from getting location data. I believe you can also use this system to stop the apps from phoning home.

  4. Considering this was written back in November… has ESFE changed their practices? I’m not seeing any communication between ESFE and Baidu. I’m not blocking anything either.

      1. That’s a nice app though (OS Monitor). It looks like Amazon is communicating to the Netherlands. My guess is that some of the larger profile apps could be accessing a server cluster: fastest available connection at any given time. Not sure if that was the case with ESFE but I still don’t see any communication under it. I do have the Baidu folder as well.

      1. Here’s a thought, do you have ESFE set to automatically check for updates? (Settings / Update Settings)

        I just enabled Auto Check on ESFE and finally saw the connection to China. Soon as I unchecked that setting, connection is gone.

        Kinda surprised no one thought to look in to ESFE settings a little closer ๐Ÿ™‚ If I had to guess, ESFE (including the China communication) is harmless.

  5. The File Manager 1.0 app on my Android tablet also has permission to access NFC. That is REALLY ODD and it doesn’t seem particularly harmless to me. I’m still searching for a way to Uninstall this app.

      1. Hi,I googled the issue and apparently you can transfer files to another device using nfc.

  6. Greetings,

    I found out about Es file by another route,even though I have os monitor. I recommend (Lostnet no root firewall) you can block and monitor data connections,and for $.99 go pro with the ability to capture packets and analyze. There are several new NO ROOT firewall apps in playstore. But this one had minimal permissions. Two others permissions did not match the stated permissions at the bottom of playstore page,to the permissions asked for when you click the download tab. So,Lostnet is a safer choice,plus you can see what is going on in the background,like all the apps that are following your every move ,you know, to better serve you ads. Anyways,I still don’t know what information edge is sending,but like the author,just true fact that it connects to Baidu is enough for me to block the connection. In light of the fact that Baidu’s network was being used by the Chinese government to attck Github with a DDOS over the last week. And there are many other reasons to be cautious fo Chinese products,specifically because of their connections to the government. Many OEM’s have been caught with backdoors,and even pre-installed malware,adware,and spyware. They conveniently blame “unknown others in the supplychain” or claim ” it was a very good clone” by Xiaomi. See bluebox article. And Coolpad was found doing the same things. See Palo Alto networks,coolreaper. Both found by googling.

    I often asked why all these great Chinese apps were free,and found out that up intill recently,Google was not allowing them to monitize. But the biggest worry is all the permissions a security app,or file management app have access to on your phone. There are many risks most just don’t understand. Ps. Blocking the connection for Es file does not cause any problems with using the app,and it only communicates when you are actually in the app. Or as soon as you open it.

  7. While I applaud the attentiveness to apps and what they are actually doing, this particular case was not entirely thought out. There are far too many people out there who install apps without thinking twice of who created it, what it does, what access it has, etc. But at the same time one must remember that the Internet has no boundaries. If you use Facebook Messenger, you are often connecting to Dublin Ireland. If you use the Amazon app, you are often connecting to the Netherlands when submitting payments. These larger profile apps are no doubt running on a network designed for redundancy and in many cases this means globally.

    As I stated earlier in the comments, this “issue” with ES File Explorer is not an issue at all. The communication with Beijing is merely to check for updates. If this bothers you, get into ESFE Settings, Update Settings, and disable Auto Check. Your ESFE communication to Beijing will cease and everything will be right with your world. But by all means, keep using OS Monitor and keep looking for suspicious activity, but please dig a little deeper than a forum discussion or Google search on your findings.

    1. @Brian, stopping checks for updates is only one such connection. It seems you yourself did not explore settings far enough. The privacy statement accessible from setting mentions analytics and I confirmed after unchecking updates that ESFE still connects to Baidu.although this is a similar service that Google performs,your connection to China is what I take issue with,not the collection of supposed anonymous usage data. It is that true connection works both to and from that is concerning. But if you block the connection,the app still performs just fine. ESFE may be completely innocent,and Baidu as well,but the Chinese government IS NOT! So go read about the latest attack on github,and the fact that Google and Mozilla are revoking certs for CNNIC because of blatant violations. Analytics could be done by Google,(as they already are part of smart phone users lives) and then forwarded to any Chinese venders. I,and others should have done our homework before downloading this app,or any for that matter. But the web has nothing but praise for ESFE and rightly so,as it is very good at what it does. But they should have been more transparent about the connections it initiates.

      But even worse,are any apps with ad SDK’s because they are still operating in the background even though you are not using it. These banner ad SDK’s follow your activity most right after closing them,even by using the return function. So as the last commenter states,yes,it is virtually impossible to avoid the intrusive behavior’s,but we CAN take steps to mitigate them. Privacy and security issues are only going to increase,so the more information you have,the better we can protect ourselves.

  8. one should not simply believe that he can still use a “smart phone” without having companies or governments spying on him and getting whatever info they need, if we unistalled ES there will always be a way, we cant hide.
    Iam a privacy freak, but I use my phone knowing that they can get anything , anytime.
    Google have full permission for evey single thing, why we dont see anyone complaining? cause we cant uninstall Google, and nothing can make us get sure that they REALY respect our privacy.
    anyway the xml-if sent- is not shared to public, so not a big deal but Good thing to know.

    1. Hi,

      ES may not be spyware in the traditional sense of the word. But it does have privacy issue’s besides the ones I listed above. This study by Carnegie University Computer Labs gives ES File a grade of C, and the range is A-D only. Here is a link:
      They graded tens of thousands Android apps. Any app that comunicates using only http ,connects to servers in China,is vulnerable to a MITM (man in the middle) attack. That means malware can be silently delivered to your device. Which includes adware,spyware,and malware! The opo thread is lame to say the least,because no one has an idea what is going on in the background. Including the comment just before this one. I on thur other hand,have tested,and researched this issue for sometime now.

      And another thing,if you have any app,or PHONE that is not connecting over https to any server in China,,then you ARE vulnerable! The Chinese government has mandated that all software/hardware WILL have access designed into their products. And if someone wants to do business with China,they have to give up source code. Apple has already agreed to their terms. Others as well are giving into demands. So enjoy your phones!

  9. Hi all, if anyone still follows this,here is something that will raise your eyebrows. Remote access thru ES-FILE EXPLORER. this was for an older version,but I can find nowhere thhat it was fixed. And worse,the website CVE and NVD Nist are not showing anything,but the researcher who discovered it put up the research paper online probably because it HAS NOT been fixed,and is now blocked from being viewed on normal venue’s here is the link to the paper.

    I have written to them,and CVE for information on this,so will update if and when I learn more. Any normal vulnerability would show up on CVE as being patched,or not. Never seen one blocked before.

  10. I found the Chinese IP in my snort alerts as “Network trojan detected”

    After tracking it down, it was coming from my Android that has ESFE installed.

    It takes very little googling to find how much malware originates from the PRC…..

    No more ESFE on my devices…..

  11. I tried using X-Plore and ES File Explorer on Android. after making an SSH connection, I saw a suspicious login to the remote server with an IP address in India (which might not be accurate because IP addresses can be faked). This might be coincidental – and I cannot say which one (if either) sent my log in details to a third party … but I took remedial action on the remote server and uninstalled both Andriod Apps immediately.

  12. Thanks for you post. I am from Information security from past 7 years. I have also passion of computer forensics. So, Today I thought to enable root account on my android phone very first time to see background network activities. Fortunately, I found network activities as shown below :-

    tcp6 1 1 ::ffff: ::ffff: LAST_ACK

    I found this IP address is related to baidu

    Once, I found these all details then I search on the google to check if any other person have issue same like this. I found you website link and I read all above mentioned by you.

    And also I checked xml file mentioned by you and interval time was 24 there. This app seems suspicious to me.


  13. I wondered why/how ES File Explorer could afford to give away the farm with no ads or upgrades for so long. I removed it and when with FX File Explorer, made in the USA by ‘Mericans. Turns outo to be better anyway.

    1. ES File Explorer cannot be trusted and has been deleted. Thank you all for you info. What does Google hve to say about it. Google must know all these things and also cannot be trusted. Very emabarassing for an American and an American Co.

  14. Baido is the Chinese Google, so it kind of makes sense, given how much Google tracks it’s users. Anyway I deleted the app because it’s too slow.

  15. All these discussions and opinions are totally moot. They have their fingers into everything. They can know whatever they care to look at, me, you, Mick Jagger, the mailman. It’s all at their fingertips. But you know what? That’s a good thing. Why? Because it just doesn’t matter any more. Fuck it. If you have something to hide give it up. There are 300 million of us in the US. If the Chinese invade are they really gonna come rolling down your street and call you out? You’re not that important. So relax. Breathe deeply.

  16. I’ve had es file explorer for as long as I can remember, even bought the pro. Come to find out the underlying connection had been inputting malware and Trojans while setting up shop around all my devices and networks. Over the last 8 months I’ve been trying to get them out of my domain out of my tablets and pc’s. They’ll change your apk’s your google frameworks and just about everything about your device to go un noticed. They are especially fond of Qualcomm roots and can easily incorporate it if you come across a Chinese device like huawei. The data in general on all devices travel through a few other countries that don’t have data privacy restrictions protecting the data to the fullest extent. In the privacy acts google states that they’ll do what they can to protect our data more less.hell I’ve got Chinese Taiwan and a few other gov root certs now I can’t get rid of. My devices are rooted for their control, I can’t use root. On the androids anyways. I’ve been forced out of windows because I recovered my hard drives that contained info on them about 100x over collecting more data as I went. Now days I’m stuck in KDE and Linux learning code and trying to clean the preseed installations that keep coming on any install. (No matter how I partition or wipe a HD or where the I so comes from) I’m trapped in a client host situation my ISP can’t stop nor can I with my router controls. They always get back in. My emails are spammed to death by an email assassin bash. Well anyways, I’ve gone to google and theyre in the works helping me compile data on the assailants and es which keeps getting data access even though its not installed. I’ve got one PC clean and consistantly logging my other pc’s in a hidden shell. I think I’ll be coming out with a sum of cash here soon ๐Ÿ˜‰

    1. Hi Synister,

      I have no doubts about the infections on all your devices, but, the fact that you mention being rooted by them leads me to believe that you were infected by any number of auto-rooting malware discovered over the last couple years. But, ES File may likely have been the door the malware used to enter. I think you will find this report/research, done by Citizens Lab in Toronto Canada, very helpful, or at least, enlightening.
      I had been warning about the insecure connections Chinese apps, we’re making to servers inside China. Many utility apps like browsers, file managers, mobile security, have some of the largest permissions sets making them vulnerable if they were used to assist a malware infection. You may be aware of China’s censorship, and the national firewall called ” the Great Firewall of China”. That means they can intercept any connections coming and going from that country. Now, hold that thought.

      Last year, there was a rather large DDoS attack on GitHub, and again, Citizens Lab to the rescue. Their research discovered China as the culprit. Because the code shared some characteristics with the Firewall, they named the new code “Great Cannon”. This cyber weapon can be used in lots of ways, especially when combined with the Firewall. Here’s that report:
      citizens lab, great cannon

      And another DDoS attack last year came from over a half million mobile devices, smart phones, but pointed right back at Baidu, (who owns ES File Manager, and hundreds more apps) you can read about that here:

      I hope you subscribed to this thread, because I really would like to keep up with how your situation ultimately gets resolved. But, in case you don’t know it, most auto-rooting malware requires the device be wiped, and the ROM be reinstalled. If your devices are beyond OS updates and security patches, you should wipe them and install Cyanogen OS for your Android devices. They have lots of up to date ROMs for many devices, but that’s what it’ll take, if I understood you correctly. Good luck, and let us know how you make out.

Leave a Reply

Your email address will not be published. Required fields are marked *