It has been discovered that over 500 different Android apps are infected with a malicious ad library that secretly sends spyware to users and performs other dangerous operations. The infected apps have been downloaded over 100 million times so far.
Due to 90 percent of apps on Google Play Store being free to download, the main way the developers make money is through advertising. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app’s core functionality.
But Lookout’s security researchers have found out that software development kit (SDK) called Igexin is actually sending spyware to Android devices. The program was developed by a Chinese company and offers targeted advertising services to app developers.
The program has so far been found in over 500 Google Play Store apps, which include games targeted at teens, weather apps, photo editor apps, internet radio apps and other apps in the realm of education, health and fitness, travel and others. The apps containing the program have been downloaded several hundred million times in total.
The Igexin SDK was created for app developers to serve targeted advertisements to its users and produce revenue. To do so, the SDK also gathers user data to help target interest-based ads.
But researchers from Lookout say this isn’t all they have found the SDK to do. They found several Igexin-integrated apps interacting with malicious IP addresses that pass malware to devices of which the creators of apps aren’t aware are utilizing it.
The researchers explained in a blog post that they observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK.
They continued by saying that that kind of traffic is usually the result of malware that downloads and executes code after an initially clean app is installed, so it can evade detection.
When the malware gets on the infected devices, the SDK then gathers logs of users information from the device, remotely installs other plugins to the device and records call logs or reveals information about user’s activities if the attacker so desires.
Google has since then removed all the apps that have the SDK in them from the marketplace, but if you have already installed some of the apps that contain the SDK before they were removed, try Google Play Protect.
Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
Besides this, you should always have a good antivirus application on your phone just to be sure, and always keep your device and apps up-to-date.