500 Android Apps with 100 Million+ Downloads Found to Contain Spyware

Over 500 Android apps which have been collectively downloaded some 100 million times from the Google Play store could have been hijacked to distribute spyware in a clandestinely due to a malicious advertising SDK (software development kit).

Security researchers at Lookout have discovered a rogue SDK called Igexin which can be compromised for malicious activity. Mobile applications, particularly freeware, frequently use advertising SDKs to deliver ads to their customers using established advertising networks as a means toward revenue. In this case, several app developers unknowingly deployed Igexin, an SDK that has been exploited previously for malicious activity.

Igexin, which is of Chinese origin, promotes services that claims to use data about people for advertising purposes. The SDK uses details such as interests, occupation, income and location for the benefit of advertising.

Lookout researchers provided details of two infected apps: a photography Android app called SelfieCity which has been downloaded over five million times and another app called LuckyCash, downloaded over a million times. Other unnamed infected apps include a teenager-targeted game with over 50 million downloads. A weather and photo apps were both between one million and five million downloads respectively.

Other infected apps included a number of educational, travel, health and fitness, emoji, home video camera and other apps. Altogether, the ad network had the potential to infect over 100 million Android phones, turning them into malicious spying devices.

“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote serve, “wrote Lookout researchers. “Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute.”

Google has since removed the malicious applications from the Play Store, or replaced them with updated versions without the rogue spyware.

Image credit: Pixabay.