Lookout notes that these apps were using a malicious advertising SDK ‘Igexin’, which is the culprit behind the secret distribution of spyware plugins to the users.
Google was informed about the vulnerability and the compromised apps have since been removed or updated to new versions with the malicious SDK. Lookout identified two of the infected apps – SelfieCity (over 5 million downloads on Google Play) and Lucky Cash (over 1 million downloads on Google Play), both have now been fixed.
The researchers explained that the developers of the infected apps were also possibly a victim in this. They did not know that advertising SDK was spying on users.
“It is likely many app developers were not aware of the personal information that could be exfiltrated from their customers’ devices as a result of embedding Igexin’s ad SDK. It required deep analysis of the apps’ and ad SDK’s behavior by our researchers to make this discovery. Not only is the functionality not immediately obvious, it could be altered at any time on the remote server,” Lookout wrote in a blog post.
Although Google keeps trying to keep the malicious apps out of Android devices, every now and then some of the infected applications make their way to Google Play. Here’s to hoping that Android Oreo’s Google Play Protect will be more successful in this regard.
