Mobile ad libraries have once again been called out for spying on potentially millions of Android users.
Researchers at Lookout Security have identified over 500 Android apps on Google Play that used a potentially malicious ad software development kit (SDK) from Chinese ad network, Igexin. Lookout’s researchers found harmless apps taking user data, such as call logs, and sending it to Igexin’s servers.
The affected Android apps themselves were not malicious but since they relied on Igexin’s ad SDK, they could have been used to install spying capabilities via malicious plugins.
Google has now either removed the affected apps or helped developers address the issue, according to Lookout.
Apps with the SDK were downloaded 100 million times, and included popular weather apps, teen games, internet radio, photo editing apps and more.
Symantec in 2015 identified Igexin as a potentially unwanted app, but Google took action after a recent report from Lookout.
Ad libraries or SDKs are known to occasionally create privacy and security risks within apps they’re embedded in since the SDK can inherit the device permissions that users give to the app they installed.
The ad SDK can also introduce new vulnerabilities that hackers can exploit. Google pulled down about over 100 apps last year after security researchers reported a misbehaving ad SDK.
As Lookout researchers Adam Bauer and Christoph Hebeisen note, it is likely that many app developers didn’t know personal information about their users devices was being siphoned by Igexin's ad SDK.
The researchers investigated the SDK after discovering a set of apps that were communicating with servers that had previously served malware. They found an app downloading encrypted files after communicating with a machine used by Igexin.
The threat to end-users comes via certain versions of the Igexin SDK that implement several plugins that allow it to download arbitrary code.
The capabilities in malicious code that is downloaded “is completely under external control at runtime, and it may change at any time and can vary based on any factors chosen by the remote system operator”, according to Lookout.
“Users and app developers have no control over what will be executed on a device after the remote API request is made.”
Android’s permission system however in this case does limit what code can be run.