http://www.digitaljournal.com/tech-and-science/technology/google-pulls-over-500-android-apps-over-spyware-backdoor-fears/article/500753

Google pulls 500 Android apps over spyware backdoor fears

Posted Aug 23, 2017 by James Walker
Google has removed over 500 Android apps from Google Play after security researchers discovered they could be used to download spyware. All the apps used an advertising network that contained code capable of stealing data from users.
500 Android apps were compromised by the Igexin SDK
500 Android apps were compromised by the Igexin SDK
Deyvi Romero / Pexels
Lookout Security detailed the issue in a blog post earlier this week. The company's Security Intelligence team came across an app making suspicious requests for data from servers used by the Igexin ad SDK. Advertising SDKs are used by app developers to monetise their free products.
Lookout began to investigate the traffic. It discovered that some versions of the Igexin SDK contained malicious code. This code provided a kind of plugin framework that could be used to install malicious "extensions." When required, Igexin's developers could collect personal information and install malware using the backdoor in the SDK.
In compromised apps, the SDK periodically connects to its control server. The server responds with details of certain app files to download. Once they've been retrieved, the malicious SDK runs the code in the apps, giving it access to the user's files.
The malware would be capable of extracting a wide range of information from the phone. Lookout said it's currently relatively innocuous though, only extracting the user's call log and sending it to the server.
The malware is unusual because it's not being directly implemented by the app developers. Instead, a rogue ad network is compromising the products of its clients. Lookout said it's unlikely the app developers are aware of Igexin's hidden functionality.
READ NEXT: Google launches Android 8.0 'Oreo'
"It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server," said Lookout. "Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute."
Lookout also warned developers are ultimately responsible for their app activity though. Responsible developers should consider vetting third-party code before adding it to their products. Details of third-party data collection capabilities must be detailed in the app's privacy policy. Although the spyware is entirely Igexin's creation, it could be argued app creators could have avoided giving it a host.
Combined, apps using Igexin's SDK have received over 100 million downloads from the Play Store. One of the affected titles, a game popular with teenagers, has received over 50 million downloads alone. Google removed all the apps from the Play Store after being contacted by Lookout. Some developers have already replaced their products with versions that do not include the Igexin SDK.