MuMu Player (NetEase) silently runs 17 reconnaissance commands every 30 minutes
Source: Hacker News
Summary
MuMu Player Pro for macOS (by NetEase) executes a comprehensive system‑data collection routine every 30 minutes while the emulator is running. It enumerates all devices on the local network, captures every running process with full command‑line arguments, inventories all installed applications, reads the hosts file, and dumps kernel parameters—tying everything to the Mac’s serial number via SensorsData analytics. None of this is disclosed in MuMu’s privacy policy, and none of it is required for an Android emulator to function.
Environment
- App: MuMu Player Pro for macOS (v1.8.5)
- Bundle ID:
com.netease.mumu.nemux-global - macOS version: 13.3 (Apple Silicon)
What it collects
Every 30 minutes MuMu creates a timestamped directory under:
~/Library/Application Support/com.netease.mumu.nemux-global/logs/Each directory (e.g. 20260220-071645) contains the output of the following commands, all executed automatically in the background:
| File | Command | Captured data |
|---|---|---|
arpAll.txt | arp -a | Every device on the local network (IP + MAC) |
ifconfig.txt | ifconfig | All network interfaces, MAC addresses, IP addresses, VPN tunnels |
networkDNS.txt | scutil --dns | Full DNS resolver configuration |
networkProxy.txt | scutil --proxy | Proxy settings |
catHosts.txt | cat /etc/hosts | Entire hosts file (custom domains, dev environments) |
netstat.txt | netstat | Active network connections (times out after 15 s) |
listProcess.txt | ps aux | Every running process with full arguments (~200 KB) |
listApplications.txt | ls -laeTO -@ /Applications/ | All installed applications with metadata |
mdlsApplications.txt | mdls /Applications/*.app | Spotlight metadata for every app (name, version, bundle ID, size, dates) |
sysctl.txt | sysctl -a | Kernel parameters, hostname, hardware info, boot time (~60 KB) |
launchctlPrintSystem.txt | launchctl print system | Full system service dump (~64 KB) |
launchctlLimit.txt | launchctl limit | System resource limits |
listLaunchAgents.txt | ls -laeTO -@ /Library/LaunchAgents | All system launch agents |
listLaunchDaemons.txt | ls -laeTO -@ /Library/LaunchDaemons | All system launch daemons |
mount.txt | mount | All mounted filesystems |
custom-curl-apipro.txt | curl -v https://pro-api.mumuplayer.com | Connectivity test to MuMu API |
custom-curl-mumuapipro.txt | curl -v https://api.mumuglobal.com | Connectivity test to MuMu global API |
A collect-finished manifest file logs the success or failure of each collection.
The ps aux problem
The process list captures full command‑line arguments for every process on the system, exposing:
- Applications you run and when (browsers, chat apps, trading platforms, security tools)
- VPN usage and configuration (e.g., NordVPN/NordLynx arguments)
- Development tools and infrastructure (Docker, IDEs, terminal sessions)
- Session tokens and IDs passed as arguments
- User‑data directory paths revealing usernames and app configurations
- Security/firewall software you use (useful for evasion)
Because this runs every 30 minutes, it creates a detailed behavioral timeline of your computer usage.
Analytics and device fingerprinting
MuMu uses SensorsData (a Chinese analytics platform). Files in the report/ directory include:
Identity tracking (sensorsanalytics-com.sensorsdata.identities.plist)
{
"$identity_login_id": "",
"$identity_anonymous_id": "",
"$identity_mac_serial_id": ""
}The Mac’s hardware serial number is collected and used as a persistent identifier.
Campaign tracking (sensorsanalytics-super_properties.plist)
player_version: 1.8.5
player_channel: MACPRO
player_uuid:
player_utm_source: SEO001
player_engine: (tracked)An ~86 KB analytics message queue (sensorsanalytics-message-v2.plist) is maintained and periodically sent to their servers.
Collection frequency
During a single day of normal use, MuMu ran the collection routine 16 times (approximately every 30 minutes). Each run generates ~400 KB of system data. The logs directory retains about 23 collection runs before older entries are rotated out.
How to verify
If MuMu Player Pro is installed on macOS, run:
ls ~/Library/Application\ Support/com.netease.mumu.nemux-global/logs/If timestamped directories appear, open any of them and inspect the files. Each file contains the exact command that was executed, its arguments, and the full captured output.
What MuMu’s privacy policy says
The MuMu Player Pro Privacy Policy does not disclose:
- Running
ps auxto capture all system processes - Running
arp -ato enumerate local network devices - Reading
/etc/hosts - Dumping
sysctl -akernel parameters - Inventorying all installed applications via
mdls - Collecting the Mac’s serial number
- Performing any of the above on a 30‑minute recurring schedule
Conclusion
The data collected—local network topology, complete process lists, installed‑software inventory, DNS configuration, hosts file, and kernel parameters—constitutes a comprehensive system profile. Coupled with SensorsData analytics and the hardware serial number, this creates a persistent, detailed fingerprint of the machine and its usage patterns. The silent, undisclosed, 30‑minute recurrence goes far beyond what any Android emulator requires, representing a serious transparency failure.