Android apps blocked from Play Store due to malware

Yolanda Curtis
August 24, 2017

As the Android apps lack recall facilities, developers have to hope the users follow instructions for updating the applications, even though Google kept the majority of the 1.4 billion users safe from a variety of malicious software, there are still some which leak into its official store.

Once an app using a malicious version of Igexin was installed on a phone, the developer kit could update the app to include spyware at any time, with no warning.

The ad SDK came from a Chinese company called Igexin, and "apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem", according to researchers with Lookout's Security Intelligence team, who alerted Google about it. Rather, "the invasive activity initiates from an Igexin-controlled server". The rest appeared on third-party Android app stores.

Lookout researchers began investigating suspicious traffic as part of a routine review of apps that communicate with certain IPs and servers that previously served malware. Thus a lot of the app developers were actually unaware of the security issues.

We wanted to tell you if you have an Android device about the 500 apps removed from Google Play Store.

El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.

This also means that both the app developers and the SDK developers were left in the dark about the potential vulnerabilities of the SDK and how it could be used nefariously.

Lookout experts did not mention the names of apps that included the Igexin SDK, as they did not consider that this was their fault.

The Lgexin spyware code could lead an app to record call logs, text messages, login credentials and much more.

Researchers say they got on the trail of the Igexin SDK after they noticed that known malware samples were being downloaded on clean smartphones after the device made a request to the Igexin API server. Users and app developers have no control over what will be executed on a device after the remote API request is made. The type of plugin that could be delivered was limited by the Android permission system.

With the key, we can decrypt the s6GYbkAUkOQPwK4P string to a valid phone number.

Other reports by iNewsToday