Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.

Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app's core functionality.

But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.

Developed by a Chinese company to offer targeted advertising services to app developers, the rogue 'Igexin' advertising software was spotted in more than 500 apps on Google's official marketplace, most of which included:

  • Games targeted at teens with as many as 100 million downloads
  • Weather apps with as many as 5 million downloads
  • Photo editor apps with 5 Million downloads
  • Internet radio app with 1 million downloads
  • Other apps targeted at education, health and fitness, travel, and emoji

Chinese Advertising Firm Spying On Android Users

The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads.
But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.

"We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at https://sdk[.]open[.]phone[.], which is an endpoint used by the Igexin ad SDK," the researchers explain in a blog post.
"This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection."
Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.

How to Protect Your Android From This Malware

Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.

Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.