Google forced out apps on Google Play that contained an advertising software development kit (SDK) called Igexin, researchers said.
There were over 500 apps that could covertly download data from infected devices, said researchers at the Lookout Security Intelligence team.
“While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience,” said Lookout researchers Adam Bauer and Christoph Hebeisen in a blog post.
“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server,” the researchers said. “Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.”
The apps that contain the SDK included:
• Games targeted at teens (one with 50M-100M downloads)
• Weather apps (one with 1M-5M downloads)
• Internet radio (500K-1M downloads)
• Photo editors (1M-5M downloads)
• Educational, health and fitness, travel, emoji, home video camera apps
“Typically, mobile apps use advertising SDKs to make it easy for app developers to leverage advertising networks and deliver ads to customers. Like many ad networks, the Igexin service promotes its targeted advertising services that leverage data collected about people such as their interests, occupation, income, and location,” Bauer and Hebeisen said.
It should be standard procedure for app developers to analyze any third-party code they embed in their apps. But they don’t. Too many of them don’t bother or don’t know how to, and opt for trusting the developers of SDKs blindly, researchers said.
The researchers pointed out that not all versions of the Igexin ad SDK deliver malicious functionality, but those that did implemented a plugin framework that allows the client to load arbitrary code, and requested instructions on what to download next.
Mostly, it was to exfiltrate call logs, which contain information such as time of call, calling number, and call state. But there were also instances where data about installed apps and GPS location was exfiltrated.
“Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system,” the researchers said.
Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem.
Google then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the Igexin SDK removed.