More than 500 mobile apps on Google Play were recently discovered containing an advertising software development kit capable of downloading malicious plug-ins that can spy on Android users’ call histories, researchers from mobile security company Lookout have reported.
Apps using the ad SDK, a product called Igexin, were downloaded over 100 million times by Android device owners before Google removed these programs from its store or replaced them with updated versions, mobile Lookout noted in an Aug. 21 company blog post. While not all of the apps ultimately possessed the spyware functionality, they could have, had the SDK administrators at any time initiated a download of the malicious plug-in. This technique is how the malware’s authors were able to evade detection in the first place and wind up in apps sold in Google’s store. (Google confirmed Lookout’s account to SC Media.)
Igexin is not a new threat. Symantec Corporation, for instance, has labelled the SDK a potentially unwanted app (PUA) since early 2015 because of its suspicious permissions and its ability to download secondary code. However, this is the first time Igexin is known to have downloaded spyware specifically designed to collect and exfiltrate a user’s phone record logs, including specific call times and phone numbers. “That function [took Igexin] from potentially unwanted to really unwanted,” said Mike Murray, VP of security intelligence at Lookout, in an interview with SC Media.
In the course of their investigation, which took place from June through August, Lookout researchers found that Igexen was primarily targeting Chinese developers of apps specializing in teen-friendly games, weather forecasts, Internet radio, photo editing, education, health and fitness, emojis and home video capabilities. One teen-oriented game alone was downloaded between 50 million and 100 million times.
Lookout noted in its blog post that it was not these app developers’ intention to spy on users, “nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.” But by including the Igexin SDK, these apps were essentially used as trojans to deliver spyware code to their own customers, Murray explained.
Despite the fact that Igexin has garnered a reputation as a PUA, Murray said that the average app developer, which might rely on 10 or more SDKs, cannot be blamed for failing to recognize Igenix’s hidden functionality. “It’s unreasonable to expect then to reserve-engineer any piece of code that comes from a trusted third party,” said Murray. Lookout’s blog post further notes that the discovery of Igexin’s spyware capabilities required a “deep analysis of the apps’ and ad SDK’s behavior by our researchers… Not only is the functionality not immediately obvious, it could be altered at any time on the remote server,” perhaps to include even more intrusive features.
Lookout’s investigation intensified after its researchers observed an affected app downloading large encrypted files after first communicating with an endpoint known for its use by Igexin. According to Lookout, this sort of activity is indicative of an app attempting to download and execute malicious code after a clean version of that program is initially installed by the user. “They’re actually trying to evade detection, they’re trying not to get caught, which tells you something,” said Murray.