More than 500 apps that have been downloaded over 100 million times from the Google Play Store contained software that allowed spyware to be installed on a device at anytime, according to research engineers Adam Bauer and Christoph Hebeisen from the Lookout blog.
The apps in question contained an advertising software development kit called Igexin, which allows apps to connect to ad networks and send targeted ads.
If an app with Igexin is installed on a phone, the SDK can download malicious plug-ins capable of adding spyware that will steal call history information, GPS locations, nearby Wi-Fi networks and lists of installed apps. Though not all of the applications were confirmed to download the spyware, Igexin had the opportunity to do so through any of the apps.
It appears the installs initiate from an Igexin-controlled server, according to Bauer and Hebeisen, and that developers weren’t aware of the spyware capabilities of the SDK.
In an e-mail sent to ArsTechnica, a Google spokesman said, “We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe.”
According to Bauer and Hebeisen the apps that include the SDK are the following:
- Games targeted at teens (one with 50M-100M downloads)
- Weather apps (one with 1M-5M downloads)
- Internet radio (500K-1M downloads)
- Photo editors (1M-5M downloads)
- Educational, health and fitness, travel, emoji, home video camera apps
When MobileSyrup reached out to Google Canada, the tech giant stated that it currently has no comment regarding the Igexin SDK.
Source: Lookout Blog