Mobile security firm Lookout has released a report of their discovery that more than 500 apps of Google Play Store could be infected by spyware thanks to an advertising software development kit (SDK) called Igexin that had the capability of spying on victims through certain apps by downloading malicious plugins.
Typically, developers use advertising SDKs to earn money by serving targetted ads to the users, Igexin is one such SDK from China. Lookout notes that their researchers noticed suspicious activity from a certain app. The app was downloading large, encrypted files after making a series of initial requests to a REST API (a method of allowing communication between a web-based client and server) at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint ( the URL where a service can be accessed by a client application) used by the Igexin ad SDK.
Lookout says that “this sort of traffic is often the result of malware that downloads and executes code after an initially “clean” app is installed, in order to evade detection.” In the case that Lookout investigated, they found that a number of malicious plugins had registered a PhoneStateListener if the following conditions are met:
- A setting stored in an internal SQLite database is enabled
- The app has “android.permission.READ_PHONE_STATE” permissions
This PhoneStateListener will then save:
- The time of the call
- The calling number
- The call state (idle, ringing, or off hook)
The saved data is then sent to Igexin’s endpoint.
Some of the apps infected by the spyware include:
- Games targeted at teens (one with 50M-100M downloads)
- Weather apps (one with 1M-5M downloads)
- Internet radio (500K-1M downloads)
- Photo editors (1M-5M downloads)
- Educational, health and fitness, travel, emoji, home video camera apps
After this investigation, Lookout presented their report to Google and all apps that use Igexin ad SDK were removed from the store and were only allowed back after changing their ad SDK. Lookout explains that it is likely many app developers were not aware of the personal information that could be exfiltrated from their customers’ devices as a result of embedding Igexin’s ad SDK.