The DJI Go 4 app on the Google Play Store, which is used to control DJI drones, is found to have some worrying backend features. This was revealed after reverse-engineering the app by security firms Synacktiv and Grimm. They found the software of violating Google’s Play Store policies, and has reportedly been collecting sensitive user data and can download to help execute the code of the developers’ choice.
The two independent reports questioning the DJI Go 4 app’s privacy and trustworthiness were published by Ars Technica. China-based DJI is allegedly one of the world’s most successful and even the largest commercial drone manufacturers – based on its popularity, the DJI Go 4 app has over 1 million installs on the Play Store.
Reportedly the app has been used to either control or collect near real-time video clips and flight data from the Drones. Additionally, in their independent reports the two firms reveal that by violating the Play Store policies, the app can spy on users and accumulate a lot of other user sensitive data and sends it to servers in China.
It was also found that the older version of the DJI Go 4 app collected users’ phone data including IEMI. SIM serial number, kernel version, SD Card info and Bluetooth addresses amid other things and send the information to China-based SDK developer – MobTech. The components alleged of spying were reportedly removed by the company in the new all update.
What is even more freaking is that the app is alleged of installing the app on users’ phones though self-update or by installer provided by Weibo. Further, it is unrevealed by the reports that the app can automatically restart on its own and continue running in the backyard, even if the user has closed it. Google is believed to be looking into the matter.