Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Google Removes 500 Android Apps Following Spyware Scare

Android apps embedded with an advertising software development kit removed after researchers discover its potential for stealing users' caller data.

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users' caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin's spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

"It is an interesting vector and something we need to be on the lookout for in the future," he says. "It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience."

Piggybacking onto a legitimate developer's work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin's SDK

Igexin's SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

"This was over the line. It wanted personal data," Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user's location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin's ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple's App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

"Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading," Hebeisen says.

He says it's unclear whether Igexin was collecting the information for its own benefit or for another party and why.

"If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak," Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

"We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe," a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had "bad functionality," but allowed other apps that used Igexin to remain in Google Play, says Google's spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed "clean" by Google Play and was now behaving suspiciously.

"This SDK was downloading large files and that is a classic behavior of malware," Hebeisen says. Upon further investigation, Lookout discovered Igexin's call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin's advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin's SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin's SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout's blog post.

Although Igexin's advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Igexin, however, disputes the characterization of its plugin as malicious and says that it's instead a hotfix, a spokesperson told Dark Reading.

The company says that older versions of Igexin's SDK are capable of automatically applying a hotfix by downloading additional code at runtime. The purpose of the hotfix is to deal with Android fragmentation that arises over compatibility issues, which are particularly severe in China.

"We have to handle all kinds of compatibility problems as quickly as possible, and the hotfix technique is very popular in China to adapt the Chinese mobile market to the changes that happen so fast," the spokesperson said. "But upon being notified by Google, we have been closely working with Google and have removed the hotfix framework to fulfill the latest terms of service (TOS) policy from Google, and urged all of our app developers to update to the latest SDK. However, we're sorry that some apps did not update the SDK and were kicked off the Play Store."

In response to the call-log data collected, Igexin says that as a leading mobile push solution in China, its SDK should keep a steady socket connection to its server. In some older versions of its SDK, it uses the PhoneStateListener to detect call state changes in order to bring its socket connection back to normal following a long call.

"We also need more information to see approximately how long a call will last and how often there will be a call, on average," the Igexin spokesperson said. "We encrypted the phone number and treated it just as an anonymous ID. In the latest SDK, we don't need the PhoneStateListener anymore, so the apps that integrate the latest Igexin SDK are safe to use."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WindowsProductkey
50%
50%
WindowsProductkey,
User Rank: Apprentice
11/16/2017 | 12:28:00 AM
Windows 7 Professional Product Key for 32/64 Bit
Want to know about Windows 7 Professional Product Key for 32/64 Bit, but don't know how? Contact us https://www.itechgyan.com/windows-7-professional-product-key-32-64-bit/  We will help you to solve your problems.  
loness58
50%
50%
loness58,
User Rank: Apprentice
4/28/2019 | 1:50:35 AM
Re: Windows 7 Professional Product Key for 32/64 Bit
Indeed, I appreciate this want to know about KIK for PC how to download and use KIK on PC.
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13951
PUBLISHED: 2019-07-18
The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.
CVE-2019-13952
PUBLISHED: 2019-07-18
The set_ipv6() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.
CVE-2019-10100
PUBLISHED: 2019-07-18
The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used on HFS image. Bug is in tsk/fs/hfs.c file in function hfs_cat_traverse() in lines: 952, 1062. The attack v...
CVE-2019-10102
PUBLISHED: 2019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/devel...
CVE-2019-10102
PUBLISHED: 2019-07-18
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically ...