Google targets 500 apps with suspect ad libraries

Mobile ad libraries have once again been called out for spying on potentially millions of Android users. 

Researchers at Lookout Security have identified over 500 Android apps on Google Play that used a potentially malicious ad software development kit (SDK) from Chinese ad network, Igexin. Lookout’s researchers found harmless apps taking user data, such as call logs, and sending it to Igexin’s servers.  

The affected Android apps themselves were not malicious but since they relied on Igexin’s ad SDK, they could have been used to install spying capabilities via malicious plugins. 

Google has now either removed the affected apps or helped developers address the issue, according to Lookout. 

Apps with the SDK were downloaded 100 million times, and included popular weather apps, teen games, internet radio, photo editing apps and more. 

Symantec in 2015 identified Igexin as a potentially unwanted app, but Google took action after a recent report from Lookout. 

Ad libraries or SDKs are known to occasionally create privacy and security risks within apps they’re embedded in since the SDK can inherit the device permissions that users give to the app they installed. 

The ad SDK can also introduce new vulnerabilities that hackers can exploit. Google pulled down about over 100 apps last year after security researchers reported a misbehaving ad SDK. 

As Lookout researchers Adam Bauer and Christoph Hebeisen note, it is likely that many app developers didn’t know personal information about their users devices was being siphoned by Igexin's ad SDK.

Read more: Google launches Android 8.0 "Oreo", bringing Project Treble's huge security enhancements

The researchers investigated the SDK after discovering a set of apps that were communicating with servers that had previously served malware. They found an app downloading encrypted files after communicating with a machine used by Igexin. 

The threat to end-users comes via certain versions of the Igexin SDK that implement several plugins that allow it to download arbitrary code.     

The capabilities in malicious code that is downloaded “is completely under external control at runtime, and it may change at any time and can vary based on any factors chosen by the remote system operator”, according to Lookout.

“Users and app developers have no control over what will be executed on a device after the remote API request is made.”

Android’s permission system however in this case does limit what code can be run. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareGoogleAndroidsdk

More about GoogleLookoutSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts