Chinese Advertising SDK Caught Stealing Data From Android Devices

[LASER_oneXM]

An advertising software development kit (SDK) embedded in many legitimate apps has been secretly siphoning user data and sending it to the servers of a Chinese company.

Developed by Chinese firm Igexin, the advertising SDK was found in over 500 apps that were uploaded on the official Google Play Store and had been downloaded over 100 million times across the Android ecosystem.

Investigation started after noticing suspicious API requests
Researchers say they got on the trail of the Igexin SDK after they noticed that known malware samples were being downloaded on clean smartphones after the device made a request to the Igexin API server.

Following months of investigation, researchers from mobile security firm Lookout discovered that Igexin developers were using SDK legitimate functions to send malicious commands to legitimate apps.

Based on the permissions the legitimate apps received from users during installation, Lookout says it observed the SDK collecting all sorts of data from users' devices, but mostly call logs.

In addition, the SDK also forcibly downloaded and ran code contained in large encrypted files. This code aided the malicious behavior.

Apps using Igexin SDK removed from Play Store
Researchers reached out to Google and the developers of the legitimate apps where they found the Igexin SDK being used to simplify the delivery of ads.

Google disabled malicious versions of the apps until app developers could issue updates.

Lookout experts did not mention the names of apps that included the Igexin SDK, as they did not consider that this was their fault. Nonetheless, they provided a generic list of apps where they found the Igexin SDK.

Games targeted at teens (one with 50M-100M downloads)
Weather apps (one with 1M-5M downloads)
Internet radio (500K-1M downloads)
Photo editors (1M-5M downloads)
Educational, health and fitness, travel, emoji, home video camera apps

 

[ispx]