It was discovered that an embedded ad SDK (Advertising Software Development Kit), which is also known as Igexin, could have been employed to infect mobile devices with spyware. As a result, Google had to remove more than 500 apps from its store, Google Play.
The SDK is a Chinese creation that might be used to download malware which intends to exfiltrate files from computers.
Lookout, a mobile security company, reported that Android users have downloaded more than 500 Android apps with the Igexin SDK, over 100 million times in total. However, not all of those apps were compromised with spyware.
The highest concentration of apps with the Igexin SDK were mostly games targeting teenagers. Those games were downloaded from 50 to 100 million times. Lookout also found Igexin SDK on internet radio, photo editors, educational programs, weather apps and other types of popular Android apps.
Adam Bauer, together with Christoph Hebeisen, a security engineers at Lookout, revealed that not the entire list of these apps have downloaded spyware, but Igexin SDK also could have used their functionality for other purposes.
The Igexin SDK and other similar programs are applied by app engineers and developers. The SDK connects mobile advertising networks for ad distribution and profit. In addition, SDK services also collect consumer information about their habits and interests in order to deliver ads for their target audience.
Lookout reported that suspicious behavior of the mentioned applications was discovered due to their communication with IPs and servers that are known for distribution of malicious software.
For example, one application was said to have installed a large amount of encrypted information and files.
According to A. Bauer and C. Heibeisen at Lookout, “The encrypted file downloads and the presence of calls within the com.igexin namespace to Android’s dalvik.system.DexClassLoader (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload”.
The researchers also explained that the creators of this application probably weren’t aware what kind of information can be extracted from mobiles due to the SDK.
The malicious SDK executes a plugin system which is used by devices to install the arbitrary code. Arbitrary code is installed from the endpoint at http://sdk[.]open[.]phone[.]igexin[.]com/api.php. Finally, because of the control from the endpoint, SDK installs and manages payloads.
Bauer and Hebeisen said that, “the functionality contained in the downloaded classes is completely under external control at runtime, and it may change at any time and can vary based on any factors chosen by the remote system operator. Users and app developers have no control over what will be executed on a device after the remote API request is made.”
Moreover, other plugins may be applied to capture the performance, for example, PhoneStateListener.
Meanwhile, Google does not hesitate to market its success, especially at RSA and Black Hat conferences. Director of Android Security, Adrian Ludwig, announced that Google introduced the security services into the Android operating system. In addition to that, it attempts to detect malicious applications by analyzing its relationship developers.
It was said that Google investigates factors of consumer feedback, software codes, the behavior of the app and also developer’s business. Furthermore, it evaluates these factors by comparing them to unrelated doubtful applications and establishes clusters of similar applications. Finally, potential malicious applications and developers are marked with the red flag and confirmed as problematic only after human analysis.