Advertisement
US | EN
Mad Beats
Industry

MuMu Player (NetEase) silently runs 17 reconnaissance commands every 30 minutes

By 262588213843476
MuMu Player (NetEase) silently runs 17 reconnaissance commands every 30 minutes

MuMu Player Pro (NetEase) silently runs 17 system reconnaissance commands every 30 minutes on macOS

Summary

MuMu Player Pro for macOS (by NetEase) executes a comprehensive system data collection routine every 30 minutes while the emulator is running. This includes enumerating all devices on your local network, capturing every running process with full command-line arguments, inventorying all installed applications, reading your hosts file, and dumping kernel parameters -- all tied to your Mac's serial number via SensorsData analytics.

None of this is disclosed in MuMu's privacy policy. None of it is necessary for an Android emulator to function.

Environment

  • App: MuMu Player Pro for macOS (v1.8.5)
  • Bundle ID: com.netease.mumu.nemux-global
  • macOS version: 26.3 (Apple Silicon)

What it collects

Every 30 minutes, MuMu creates a timestamped directory under:

~/Library/Application Support/com.netease.mumu.nemux-global/logs/

Each directory (e.g. 20260220-071645) contains the output of the following commands, all executed automatically in the background:

File

Command executed

What it captures

arpAll.txt

arp -a

Every device on your local network (IPs + MAC addresses)

ifconfig.txt

ifconfig

All network interfaces, MAC addresses, IP addresses, VPN tunnels

networkDNS.txt

scutil --dns

Full DNS resolver configuration

networkProxy.txt

scutil --proxy

Proxy settings

catHosts.txt

cat /etc/hosts

Your entire hosts file (exposes custom domains, dev environments)

netstat.txt

netstat

Active network connections (times out after 15s)

listProcess.txt

ps aux

Every running process with full arguments (~200KB)

listApplications.txt

ls -laeTO -@ /Applications/

All installed applications with metadata

mdlsApplications.txt

mdls /Applications/*.app

Spotlight metadata for every app (name, version, bundle ID, size, dates)

sysctl.txt

sysctl -a

Kernel parameters, hostname, hardware info, boot time (~60KB)

launchctlPrintSystem.txt

launchctl print system

Full system service dump (~64KB)

launchctlLimit.txt

launchctl limit

System resource limits

listLaunchAgents.txt

ls -laeTO -@ /Library/LaunchAgents

All system launch agents

listLaunchDaemons.txt

ls -laeTO -@ /Library/LaunchDaemons

All system launch daemons

mount.txt

mount

All mounted filesystems

custom-curl-apipro.txt

curl -v https://pro-api.mumuplayer.com

Connectivity test to MuMu API

custom-curl-mumuapipro.txt

curl -v https://api.mumuglobal.com

Connectivity test to MuMu global API

A collect-finished manifest file logs the success/failure of each collection.

The ps aux problem

The process list captures full command-line arguments for every process on the system. In practice this exposes:

  • What applications you're running and when (browsers, chat apps, trading platforms, security tools)
  • VPN usage and configuration (e.g. NordVPN/NordLynx with arguments)
  • Development tools and infrastructure (Docker, IDEs, terminal sessions with arguments)
  • Session tokens and IDs passed as command-line arguments
  • User data directory paths revealing your username and app configurations
  • What security/firewall software you use (useful for evasion)

This is captured every 30 minutes, creating a detailed behavioral timeline of your computer usage.

Analytics and device fingerprinting

MuMu uses SensorsData (a Chinese analytics platform) for tracking. Files in the report/ directory include:

Identity tracking (sensorsanalytics-com.sensorsdata.identities.plist):

{ "$identity_login_id": "<user_id>", "$identity_anonymous_id": "<anonymous_id>", "$identity_mac_serial_id": "<your_mac_serial_number>" }

Your Mac's hardware serial number is collected and used as a persistent identifier.

Campaign tracking (sensorsanalytics-super_properties.plist):

player_version: 1.8.5
player_channel: MACPRO
player_uuid: <UUID>
player_utm_source: SEO001
player_engine: (tracked)

An 86KB analytics message queue (sensorsanalytics-message-v2.plist) is maintained and sent to their servers.

Collection frequency

On a single day of normal use, MuMu ran the collection routine 16 times (once every ~30 minutes). Each collection generates ~400KB of system data. The logs directory retains approximately 23 collection runs before rotating.

How to verify

If you have MuMu Player Pro installed on macOS, check:

ls ~/Library/Application\ Support/com.netease.mumu.nemux-global/logs/

If you see timestamped directories, open any one and read the files. Each file contains the exact command that was executed, its arguments, and the full captured output.

What MuMu's privacy policy says

The MuMu Player Pro Privacy Policy does not disclose:

  • Running ps aux to capture all system processes
  • Running arp -a to enumerate local network devices
  • Reading /etc/hosts
  • Dumping sysctl -a kernel parameters
  • Inventorying all installed applications via mdls
  • Collecting your Mac serial number
  • Performing any of this on a 30-minute recurring schedule

Conclusion

This goes well beyond what any Android emulator needs. The data collected -- local network topology, complete process lists, installed software inventory, DNS configuration, hosts file, and kernel parameters -- constitutes a comprehensive system profile. Combined with SensorsData analytics and your hardware serial number, this creates a persistent, detailed fingerprint of your machine and usage patterns.

The fact that this runs silently every 30 minutes, is not disclosed in the privacy policy, and is not necessary for emulator functionality makes this, at minimum, a serious transparency failure.

Advertisement

Source involved in this report: Read Original Article

More from Mad Beats

See All