Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Google Removes 500 Android Apps Following Spyware Scare

Android apps embedded with an advertising software development kit removed after researchers discover its potential for stealing users' caller data.

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users' caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin's spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

"It is an interesting vector and something we need to be on the lookout for in the future," he says. "It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience."

Piggybacking onto a legitimate developer's work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin's SDK

Igexin's SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

"This was over the line. It wanted personal data," Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user's location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin's ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple's App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

"Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading," Hebeisen says.

He says it's unclear whether Igexin was collecting the information for its own benefit or for another party and why.

"If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak," Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

"We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe," a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had "bad functionality," but allowed other apps that used Igexin to remain in Google Play, says Google's spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed "clean" by Google Play and was now behaving suspiciously.

"This SDK was downloading large files and that is a classic behavior of malware," Hebeisen says. Upon further investigation, Lookout discovered Igexin's call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin's advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin's SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin's SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout's blog post.

Although Igexin's advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Igexin, however, disputes the characterization of its plugin as malicious and says that it's instead a hotfix, a spokesperson told Dark Reading.

The company says that older versions of Igexin's SDK are capable of automatically applying a hotfix by downloading additional code at runtime. The purpose of the hotfix is to deal with Android fragmentation that arises over compatibility issues, which are particularly severe in China.

"We have to handle all kinds of compatibility problems as quickly as possible, and the hotfix technique is very popular in China to adapt the Chinese mobile market to the changes that happen so fast," the spokesperson said. "But upon being notified by Google, we have been closely working with Google and have removed the hotfix framework to fulfill the latest terms of service (TOS) policy from Google, and urged all of our app developers to update to the latest SDK. However, we're sorry that some apps did not update the SDK and were kicked off the Play Store."

In response to the call-log data collected, Igexin says that as a leading mobile push solution in China, its SDK should keep a steady socket connection to its server. In some older versions of its SDK, it uses the PhoneStateListener to detect call state changes in order to bring its socket connection back to normal following a long call.

"We also need more information to see approximately how long a call will last and how often there will be a call, on average," the Igexin spokesperson said. "We encrypted the phone number and treated it just as an anonymous ID. In the latest SDK, we don't need the PhoneStateListener anymore, so the apps that integrate the latest Igexin SDK are safe to use."

Related Content:


Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/28/2019 | 1:50:35 AM
Re: Windows 7 Professional Product Key for 32/64 Bit
Indeed, I appreciate this want to know about KIK for PC how to download and use KIK on PC.
User Rank: Apprentice
8/29/2019 | 6:57:28 AM
Re: Windows 7 Professional Product Key for 32/64 Bit
google must have taken that action long time ago but it is okay now, but what about other thousands of links?
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.