Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users' caller information.
Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.
Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin's spyware plugin, Hebeisen notes.
He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.
"It is an interesting vector and something we need to be on the lookout for in the future," he says. "It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience."
Piggybacking onto a legitimate developer's work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.
Unraveling Igexin's SDK
Igexin's SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.
"This was over the line. It wanted personal data," Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user's location.
But more importantly, Igexin's ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.
Under normal circumstances, traditional app stores like Google Play and Apple's App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.
"Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading," Hebeisen says.
He says it's unclear whether Igexin was collecting the information for its own benefit or for another party and why.
"If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak," Hebeisen says.
Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.
"We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe," a Google spokesperson told Dark Reading.
Google removed the 500 apps with Igexin SDKs that it deemed had "bad functionality," but allowed other apps that used Igexin to remain in Google Play, says Google's spokesperson.
Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says.
Unplugging the Plugin
Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed "clean" by Google Play and was now behaving suspiciously.
"This SDK was downloading large files and that is a classic behavior of malware," Hebeisen says. Upon further investigation, Lookout discovered Igexin's call data spyware plugin.
In a sampling of eight to 10 apps that used Igexin's advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin's SDK.
Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin's SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout's blog post.
Although Igexin's advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.
Igexin, however, disputes the characterization of its plugin as malicious and says that it's instead a hotfix, a spokesperson told Dark Reading.
The company says that older versions of Igexin's SDK are capable of automatically applying a hotfix by downloading additional code at runtime. The purpose of the hotfix is to deal with Android fragmentation that arises over compatibility issues, which are particularly severe in China.
"We have to handle all kinds of compatibility problems as quickly as possible, and the hotfix technique is very popular in China to adapt the Chinese mobile market to the changes that happen so fast," the spokesperson said. "But upon being notified by Google, we have been closely working with Google and have removed the hotfix framework to fulfill the latest terms of service (TOS) policy from Google, and urged all of our app developers to update to the latest SDK. However, we're sorry that some apps did not update the SDK and were kicked off the Play Store."
In response to the call-log data collected, Igexin says that as a leading mobile push solution in China, its SDK should keep a steady socket connection to its server. In some older versions of its SDK, it uses the PhoneStateListener to detect call state changes in order to bring its socket connection back to normal following a long call.
"We also need more information to see approximately how long a call will last and how often there will be a call, on average," the Igexin spokesperson said. "We encrypted the phone number and treated it just as an anonymous ID. In the latest SDK, we don't need the PhoneStateListener anymore, so the apps that integrate the latest Igexin SDK are safe to use."
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio