Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Google Removes 500 Android Apps Following Spyware Scare

Android apps embedded with an advertising software development kit removed after researchers discover its potential for stealing users' caller data.

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users' caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin's spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

"It is an interesting vector and something we need to be on the lookout for in the future," he says. "It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience."

Piggybacking onto a legitimate developer's work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin's SDK

Igexin's SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

"This was over the line. It wanted personal data," Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user's location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin's ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple's App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

"Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading," Hebeisen says.

He says it's unclear whether Igexin was collecting the information for its own benefit or for another party and why.

"If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak," Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

"We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe," a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had "bad functionality," but allowed other apps that used Igexin to remain in Google Play, says Google's spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed "clean" by Google Play and was now behaving suspiciously.

"This SDK was downloading large files and that is a classic behavior of malware," Hebeisen says. Upon further investigation, Lookout discovered Igexin's call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin's advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin's SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin's SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout's blog post.

Although Igexin's advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Igexin, however, disputes the characterization of its plugin as malicious and says that it's instead a hotfix, a spokesperson told Dark Reading.

The company says that older versions of Igexin's SDK are capable of automatically applying a hotfix by downloading additional code at runtime. The purpose of the hotfix is to deal with Android fragmentation that arises over compatibility issues, which are particularly severe in China.

"We have to handle all kinds of compatibility problems as quickly as possible, and the hotfix technique is very popular in China to adapt the Chinese mobile market to the changes that happen so fast," the spokesperson said. "But upon being notified by Google, we have been closely working with Google and have removed the hotfix framework to fulfill the latest terms of service (TOS) policy from Google, and urged all of our app developers to update to the latest SDK. However, we're sorry that some apps did not update the SDK and were kicked off the Play Store."

In response to the call-log data collected, Igexin says that as a leading mobile push solution in China, its SDK should keep a steady socket connection to its server. In some older versions of its SDK, it uses the PhoneStateListener to detect call state changes in order to bring its socket connection back to normal following a long call.

"We also need more information to see approximately how long a call will last and how often there will be a call, on average," the Igexin spokesperson said. "We encrypted the phone number and treated it just as an anonymous ID. In the latest SDK, we don't need the PhoneStateListener anymore, so the apps that integrate the latest Igexin SDK are safe to use."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stereomax12
50%
50%
stereomax12,
User Rank: Apprentice
8/29/2019 | 6:57:28 AM
Re: Windows 7 Professional Product Key for 32/64 Bit
google must have taken that action long time ago but it is okay now, but what about other thousands of links?
loness58
50%
50%
loness58,
User Rank: Apprentice
4/28/2019 | 1:50:35 AM
Re: Windows 7 Professional Product Key for 32/64 Bit
Indeed, I appreciate this want to know about KIK for PC how to download and use KIK on PC.
WindowsProductkey
50%
50%
WindowsProductkey,
User Rank: Apprentice
11/16/2017 | 12:28:00 AM
Windows 7 Professional Product Key for 32/64 Bit
Want to know about Windows 7 Professional Product Key for 32/64 Bit, but don't know how? Contact us https://www.itechgyan.com/windows-7-professional-product-key-32-64-bit/  We will help you to solve your problems.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17476
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
CVE-2020-9525
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9526
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
CVE-2020-9527
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
CVE-2020-9528
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...