More than 500 Android mobile apps have been removed from Google Play after it was discovered that an embedded advertising SDK could be leveraged to quietly install spyware on devices.
The SDK, called Igexin, was developed by a Chinese company and may have been used to install malware that could, among other things, exfiltrate logs from devices.
Researchers at mobile security company Lookout said on Monday that the 500-plus Android apps with the Igexin SDK had been downloaded more than 100 million times, though not all of them were infected with spyware.
Games developed for teen-agers that had been downloaded between 50 million and 100 million times were the largest concentration of apps containing the Igexin SDK. Weather apps, internet radio apps, photo editors, educational, health and fitness, travel and emoji apps were also identified by Lookout as classes of apps where the SDK was found.
“While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience,” Lookout security engineers Adam Bauer and Christoph Hebeisen wrote.
The Igexin SDK, and others like it, are often used by app developers to connect to mobile ad networks in order to deliver ads and generate revenue. These services often collect user data that is co-opted to deliver targeted advertising based on their browsing habits and interests.
Lookout cautioned that Igexin bucks a trend where malware writers have, of late, been submitting benign apps to marketplaces, and then once on a device download malware or other malicious code.
“Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality—nor are they in control or even aware of the malicious payload that may subsequently execute,” Lookout said. “Instead, the invasive activity initiates from an Igexin-controlled server.”
Lookout said it discovered the suspicious behavior of these apps because they were communicating with IPs and servers known to deliver malware. One app, Lookout said, downloaded large encrypted files after making requests to a REST API located at an endpoint used by the Igexin SDK.
“The encrypted file downloads and the presence of calls within the com.igexin namespace to Android’s dalvik.system.DexClassLoader (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload,” Lookout said.
The researchers said that the app developers were likely unaware of the types of information that could be exfiltrated from devices because of the SDK. The malicious versions of the SDK implement a plugin framework through which the device downloads arbitrary code from the endpoint at http://sdk[.]open[.]phone[.]igexin[.]com/api.php. Commands sent from the endpoint cause the SDK to download and execute payloads, Lookout said.
“The functionality contained in the downloaded classes is completely under external control at runtime, and it may change at any time and can vary based on any factors chosen by the remote system operator,” Lookout said. “Users and app developers have no control over what will be executed on a device after the remote API request is made.”
In addition to moving logs off a device, other plugins can be used to register functionality such as a PhoneStateListener, which will save the time during which calls are made, the calling number and whether the call was ringing, idle, or off the hook.
Google, meanwhile, has been out front in marketing its successes, in particular at the RSA and Black Hat conferences. Adrian Ludwig, director of Android Security, said at RSA that Google analyzes its relationships with developers in order to find badly behaving apps.
Google said it analyzes aspects of the developer’s business, customer feedback, software code and application behavior. Then it compares those attributes to other seemingly unrelated apps that may also be problematic. Using machine intelligence, Google creates clusters of apps that share similarities. Next, apps and developers that have a high probability of bad behavior are red flagged and human analysis can confirm if there is a security problem.