Translated from the original Japanese article
Tech 4 min read

Google engineers indicted, and MuMu Player's reconnaissance commands

Security Privacy Insider Threat macOS Google
IkesanContents

Two very different incidents came up in the same week: a former Google engineer allegedly transferring sensitive information abroad, and a NetEase Android emulator that was quietly reconnoitering user systems.

three former Google engineers indicted for allegedly transferring Tensor secrets to Iran

Three people, two former Google employees and the husband of one of them, were indicted by a US federal grand jury for allegedly stealing trade secrets from Google and transferring them to Iran. It is a serious example of a nation-linked insider threat targeting a tech company.

who was indicted

All three defendants are Iranian nationals living in San Jose, California:

  • Samaneh Ghandali (41): former Google engineer
  • Soroor Ghandali (32): Samaneh’s sister, also a former Google engineer
  • Mohammadjavad Khosravi (40): Samaneh’s husband, employed at another tech company

what was allegedly taken

The secrets involved Google’s Tensor processor, the custom chip family used in Pixel phones, specifically material related to processor security, encryption, and related technologies. Samaneh is said to have transferred hundreds of files through a third-party messaging platform.

For a separate company referred to as Company 2, Samaneh allegedly took about 24 photos on a mobile device before traveling to Iran in December 2023.

the screenshot method

The most interesting part is the extraction method: instead of copying files or using removable media, the defendants allegedly photographed the screen with a phone. The goal was to bypass DLP systems and logging.

They also allegedly deleted files from devices, searched online for ways to erase communication records, and submitted false affidavits.

charges and penalties

The three defendants were charged with:

  • conspiracy to steal trade secrets
  • theft and attempted theft of trade secrets
  • obstruction of justice

Trade secret theft can carry up to 10 years in prison and a 250,000finepercount.Obstructioncancarryupto20yearsanda250,000 fine per count. Obstruction can carry up to 20 years and a 250,000 fine.

why screenshots defeat DLP

Enterprise security is usually focused on monitoring electronic transfers. If someone takes a physical photo of the screen, there may be nothing useful in the logs. Zero trust and DLP do not help much against a camera.

The fact that all three defendants were Iranian nationals and family members makes the case even more uncomfortable. Tensor chips are a core differentiator for Pixel, so exporting design information would be a direct competitive hit.

MuMu Player Pro ran 17 reconnaissance commands on macOS every 30 minutes

Another report claimed that NetEase’s MuMu Player Pro Android emulator was quietly collecting host-system information on macOS every 30 minutes.

what was happening

The emulator was periodically running commands such as:

network information

  • arp -a
  • scutil --dns
  • scutil --proxy
  • /etc/hosts

processes and software

  • ps aux
  • ls -laeTO -@ /Applications/
  • mdls /Applications/*.app

system details

  • sysctl -a
  • launchctl print system
  • mount

Together, those commands reveal a very complete picture of the machine.

why ps aux is especially bad

ps aux is the most sensitive of the set because it exposes the full command line for every running process. That can leak VPN endpoints, development environment details, API keys passed on the command line, and security software usage.

SensorsData fingerprinting

The investigation also found that MuMu Player used SensorsData, a Chinese analytics platform, and that the fingerprint it collected included the Mac serial number.

why the privacy policy does not help

None of this behavior appears to be disclosed clearly in the privacy policy. And it is hard to justify why an Android emulator would need sysctl -a or arp -a at all.

MuMu is especially common among game players, so this was not just a niche developer issue.

what to do

There has not been a clear official statement from NetEase at the time of writing. If you want to avoid the issue, the practical choices are to uninstall MuMu Player or isolate it inside a VM.

On macOS you can check for activity with:

launchctl list | grep -i mumu
lsof -c mumu

An Android emulator runs with deep system permissions. Installing a sketchy one directly on your host OS is not much different from handing over administrator access.