Threat Intelligence

8/23/2017
08:50 AM
100%
0%

Google Removes 500 Android Apps Following Spyware Scare

Android apps embedded with an advertising software development kit removed after researchers discover its potential for stealing users' caller data.

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users' caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin's spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

"It is an interesting vector and something we need to be on the lookout for in the future," he says. "It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience."

Piggybacking onto a legitimate developer's work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin's SDK

Igexin's SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

"This was over the line. It wanted personal data," Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user's location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin's ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple's App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

"Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading," Hebeisen says.

He says it's unclear whether Igexin was collecting the information for its own benefit or for another party and why.

"If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak," Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

"We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe," a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had "bad functionality," but allowed other apps that used Igexin to remain in Google Play, says Google's spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed "clean" by Google Play and was now behaving suspiciously.

"This SDK was downloading large files and that is a classic behavior of malware," Hebeisen says. Upon further investigation, Lookout discovered Igexin's call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin's advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin's SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin's SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout's blog post.

Although Igexin's advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Igexin, however, disputes the characterization of its plugin as malicious and says that it's instead a hotfix, a spokesperson told Dark Reading.

The company says that older versions of Igexin's SDK are capable of automatically applying a hotfix by downloading additional code at runtime. The purpose of the hotfix is to deal with Android fragmentation that arises over compatibility issues, which are particularly severe in China.

"We have to handle all kinds of compatibility problems as quickly as possible, and the hotfix technique is very popular in China to adapt the Chinese mobile market to the changes that happen so fast," the spokesperson said. "But upon being notified by Google, we have been closely working with Google and have removed the hotfix framework to fulfill the latest terms of service (TOS) policy from Google, and urged all of our app developers to update to the latest SDK. However, we're sorry that some apps did not update the SDK and were kicked off the Play Store."

In response to the call-log data collected, Igexin says that as a leading mobile push solution in China, its SDK should keep a steady socket connection to its server. In some older versions of its SDK, it uses the PhoneStateListener to detect call state changes in order to bring its socket connection back to normal following a long call.

"We also need more information to see approximately how long a call will last and how often there will be a call, on average," the Igexin spokesperson said. "We encrypted the phone number and treated it just as an anonymous ID. In the latest SDK, we don't need the PhoneStateListener anymore, so the apps that integrate the latest Igexin SDK are safe to use."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WindowsProductkey
50%
50%
WindowsProductkey,
User Rank: Apprentice
11/16/2017 | 12:28:00 AM
Windows 7 Professional Product Key for 32/64 Bit
Want to know about Windows 7 Professional Product Key for 32/64 Bit, but don't know how? Contact us https://www.itechgyan.com/windows-7-professional-product-key-32-64-bit/  We will help you to solve your problems.  
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.