At least 500 apps collectively downloaded more than 100 million times from Google’s official Play Market contained a secret backdoor that allowed developers to install a range of spyware at any time, researchers said Monday.
The apps contained a software development kit called Igexin, which makes it easier for apps to connect to ad networks and deliver ads that are targeted to the specific interests of end users. Once an app using a malicious version of Igexin was installed on a phone, the developer kit could update the app to include spyware at any time, with no warning. The most serious spyware installed on phones were packages that stole call histories, including the time a call was made, the number that placed the call, and whether the call went through. Other stolen data included GPS locations, lists of nearby Wi-Fi networks, and lists of installed apps.
In a blog post published Monday, researchers from mobile security company Lookout wrote:
It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.
The apps that contain the SDK included:
- Games targeted at teens (one with 50M-100M downloads)
- Weather apps (one with 1M-5M downloads)
- Internet radio (500K-1M downloads)
- Photo editors (1M-5M downloads)
- Educational, health and fitness, travel, emoji, home video camera apps
Chinese Advertising Firm Spying On Android Users
Not all of the 500 apps had installed one of the plugins silently delivered by Igexin, but the researchers said the developer kit could have caused any of the apps to download and install such plugins whenever the development kit operators wanted. The type of plugin that could be delivered was limited by the Android permission system. Additionally, not all versions of Igexin delivered the spying functions. Versions that did relied on a plugin framework that allowed devices to load arbitrary code, as directed by the response to requests the devices made periodically to a server located at http://sdk.open.phone.igexin.com/api.php.
Lookout isn’t publishing the list of the affected 500 apps because researchers don’t believe the developers knew of the spyware capabilities included in the SDK.
In an e-mail, a Google spokesman said: “We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe.”
How to Protect Your Android From This Malware
Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has .
Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.
A few days after that, researchers discovered another malicious Android SDK ads library, dubbed “,” found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.