More than 500 Android apps, collectively downloaded over 100 million times from the Google Play store, could have been used to secretly distribute spyware to users, thanks to a malicious advertising SDK (software development kit).
Mobile apps — especially free ones — commonly use advertising SDKs to deliver ads to their customers through existing advertising networks, thereby generating revenue.
However, security researchers at Lookout have discovered that many app developers inadvertently deployed a rogue SDK called Igexin, which can be exploited for malicious activity.
Google has been informed about Igexin’s secret functionality, and all of the compromised apps have now been removed from the Play Store or updated with new, clean versions.
Researchers provided two specific examples of previously-infected apps on Google Play: a photography app called SelfieCity — downloaded over five million times — and an app called LuckyCash, which has been downloaded more than a million times. Lookout has confirmed that neither of these apps are now vulnerable to malicious behaviour.
Other infected apps — not individually identified — included a game targeted at teenagers with over 50 million downloads, a weather app and a photo app, both with between one million and five million downloads, and an internet radio app with between 500,000 and one million downloads.
Various other apps downloaded from the Google Play Store — including educational, health and fitness, travel, emoji, and home video camera apps — were also found to have been compromised.
Ultimately, the ad network has the potential to turn more than 100 million Android phones into malicious spying devices, putting the privacy of users and their employers at risk.