More than 500 Android applications could have been utilized to spread secretly spyware to users, thanks to a malicious advertising SDK (software development kit). The applications have been collectively downloaded over 100 million times from the Google Play Store.
Mobile applications, particularly free ones, usually utilize publicizing SDKs to deliver advertisements to their customers through existing promoting networks, consequently generating revenue.
Many application developers incidentally expanded a rogue SDK called Igexin, which can be used for malicious activity. SDKs (Software development kits) are basically little packages of pre-composed, pre-packaged code you can drop into your item to help out you so that you don't have to reinvent it repeatedly.
Basically every application out there, from the smallest mobile application to the greatest blockbuster computer game, licenses and uses some SDKs to produce the final product. That is fine and dandy, as long as the SDK is legitimate and not compromised. But this specific SDK, Igexin, seems not to have met that standard.
How does it function?
Igexin is Chinese in origin and promotes services to use information about people, including their occupation, salary, interests, and location for the benefit of advertising. The Igexin SDK is utilized to serve up focused advertising to people using free applications. However, the researchers spotted an unusual traffic pattern coming from applications using the Igexin SDK.
The pattern was consistent with a performance the researchers had regularly seen when “clean” applications secretly install some sort of malware after the fact, to avoid detection in advance.
The application designers would have been unaware of the SDK's abuse of application authorizations for information collection: this functionality is not instantly noticeable, and those behind the malicious code can change it whenever they want.
That made researchers look more carefully, where they found the malicious versions of the Igexin SDK enabled third parties to remotely stack new code onto a user’s Android phone to do, basically, anything.
The most serious functionality the researchers actually observed from any of the applications utilizing the malicious version of the SDK is log exfiltration. The applications also used PhoneStateListener, a tool with the ability to record details about calls. Or, in other words, your smartphone records: The calls you make and receive, when, and if the call connects or not.
Google has removed the tracking apps
Other infected applications included a game targeted at adolescents with more than 50 million downloads, also a photo application and a weather application too.
Both of them with between one million and five million downloads, and a web radio application with between 500,000 and one million downloads.
Many other applications downloaded from the Google Play Store including health and wellness, educational, emoji, travel, and home video camera applications, were also found to have been compromised. The developers of the impacted applications were unaware of the security defections.
Google has been informed about Igexin's secret functionality for tracking, and all infected applications have now been expelled from the Play Store or updated with new, clean versions.