500 Android Apps on Google Play Store Secretly Compromised with Powerful SDK.
Due to a malicious advertising SDK, Hundreds (approx. 500) of Android applications have been compromised to distribute spyware to unsuspecting users discreetly. SDK is a software development kit, and it is commonly used in both free and paid mobile apps to deliver ads to the users using existing advertising networks. This is a very interesting way to generate revenue.
As for the infected Android apps, they are available on Google Play as well. However, what’s worrisome is that these apps have been downloaded more than 100 million times, which means millions of users are at risk.
Lookout’s security researchers have identified that various Android app developers unintentionally have been deploying a nasty SDK known as Igexin. This particular SDK is of Chinese origin and can be exploited by hackers. It propagates services that claim to leverage data related to people like their location, interests, occupation, and income, etc.
Researchers at Lookout started investigating this SDK after they noticed communication between apps and servers that were known for distributing malware. A bit more research revealed that most of the requests from these infected apps were being made to an endpoint that in use by the Igexin ad SDK. Since this kind of traffic is often used by malware distributors who are expert at hiding their payloads within apps to make them look authentic, suspicion was raised within the LookOut fraternity.
App developers stay unaware of the abuse of app permissions but the SDK because the function is not apparent on the onset; moreover, the attackers can modify the malicious code anytime.
“It is likely many app developers were not aware of the personal information that could be exfiltrated from their customers’ devices as a result of embedding Igexin’s ad SDK. It required deep analysis of the apps’ and ad SDK’s behavior by our researchers to make this discovery. Not only is the functionality not immediately obvious, but it could also be altered at any time on the remote server,” noted the research team.
This means the most exploitative function of Igexin code is of log exfiltration. This enables hackers and attackers to exploit every type of user data. PhoneStateListener is also utilized by the apps, which is an authentic tool having the capability to record call logs. The compromised apps didn’t indicate that they could record times of calls and numbers.
The research team provided two examples of the infected apps on Google Play. One was SelfieCity, a photography app that has been downloaded 5 million times, and another app called LuckyCash that has over a million downloads so far.
According to Lookout, Google was informed about the secret functionality of Igexin, and the company immediately removed the infected apps from the Play Store and uploaded their new, clean versions. The above mentioned two apps are also no more infected.
Do not download unnecessary apps on your smartphone
LookOut states that other compromised apps included a weather app and a photo app both of which had one to five million downloads, a game that had more than 50 million downloads. There was an internet radio app as well that was downloaded about a million times. Some other apps available on Google Play Store such as health & fitness apps, emoji, home video cameras, educational and travel related apps were infected too.
Although Google’s prompt response has ensured that none of the new downloaders get victimized by malicious cyber criminals, the fact that more than 100 million android phone users have already downloaded these apps with spying capabilities is a cause of serious concern. Apparently, these users and their employers are at risk of being exploited. SDK’s use to infect Android devices is a relatively new trend that lets threat actors to insert malware on devices through a seemingly clean and reliable app.
Google is nonetheless, trying to keep its Play Store free from infected apps and this is why the company recently introduced a new solution to safeguard Android devices. It is called Google Play Protect, and its function is to scan the apps automatically before they are downloaded.