More than 500 Android apps, collectively downloaded over 100 million times from the Google Play store, could have been used to secretly distribute spyware to users, thanks to a malicious advertising SDK (software development kit).
Mobile apps — especially free ones — commonly use advertising SDKs to deliver ads to their customers through existing advertising networks, thereby generating revenue.
However, security researchers at Lookout have discovered that many app developers inadvertently deployed a rogue SDK called Igexin, which can be exploited for malicious activity.
Google has been informed about Igexin’s secret functionality, and all of the compromised apps have now been removed from the Play Store or updated with new, clean versions.
Researchers provided two specific examples of previously-infected apps on Google Play: a photography app called SelfieCity — downloaded over five million times — and an app called LuckyCash, which has been downloaded more than a million times. Lookout has confirmed that neither of these apps are now vulnerable to malicious behaviour.
Submitted by: Arnfried Walbrecht