The DU Caller app released by the DU Group, a subsidiary of Baidu, a large Chinese search engine and web services company, was originally marketed as a call-blocking tool, and became enormously popular, boasting a userbase of over 1 billion searchable contacts.
According to a new report from the South China Morning Post (SCMP), the free app apparently paid for itself by secretly transferring user data, including the user's contacts, to proprietary servers for unknown reasons.
A reverse lookup function in the app allowed anyone with the app to access Baidu's servers in Beijing, and after the contacts were leaked, the information was revealed to include some high-profile names.
Hong Kong Secretary for Security Lai Tung-kwok, Hong Kong Police Chief Stephen Lo Wai-chung and many other party officials from the central government's liaison office were shown to have had their data compromised, according to SCMP.
The case has been referred by the security bureau to the Office of the Privacy Commissioner for Personal Data in Beijing for investigation.
Prior to a user agreeing to the privacy policy of the free app — and immediately after installing the app, according to the report — DU Caller would gather personal data and transfer it to Baidu servers in Beijing.
Accessed for download from the Google Play store, the app, which has been downloaded somewhere between one and five million times, is not available for Apple iPhones, according to SCMP.
Hong Kong's privacy commissioner for personal data, Stephen Wong Kai-yi, was on the list of those whose information was leaked, and asserted that the developer of DU Caller was in breach of the country's third data protection principle of its Personal Data (Privacy) Ordinance.
