An advertising software development kit (SDK) embedded in many legitimate apps has been secretly siphoning user data and sending it to the servers of a Chinese company.
"Ultimately, the ad network has the potential to turn more than 100 million Android phones into malicious spying devices, putting the privacy of users and their employers at risk", they explained.
It has been used in hundreds of games, weather, internet radio, image editor and other apps, which have been downloaded in excess of 100 million times. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed.
The researchers pointed out that not all versions of the Igexin ad SDK deliver malicious functionality, but tose that did implemented a plugin framework that allows the client to load arbitrary code, and requested instructions on what to download next. But there were also instances where data about installed apps and Global Positioning System location was exfiltrated. Lookout says it has confirmed these apps no longer use the Igexin ad SDK with malicious behaviour. "We appreciate contributions from the research community that help keep Android safe", Google said an e-mail To Ars Technica. This is likely considering Iglexin happens to be an SDK which allows for the developers to create revenue through the use of targeted advertisements.
Lgexin was known to promote "targeted advertising services that leverage data collected about people such as their interests, occupation, income, and location".
But a quick Google search shows security firms have labelled Igexin as a "potentially unwanted application" since at least 2015.
But its analysis stressed that the developers - in this instance - should not be blamed. Nonetheless, they provided a generic list of apps where they found the Igexin SDK. In the majority of cases they set the app permissions, but here it wouldn't have mattered. They found that numerous apps' requests were being made to an endpoint used by the Igexin ad SDK. "Not only is the functionality not immediately obvious, it could be altered at any time".