Researchers from the mobile security firm Lookout said while not all the apps in question had been confirmed as having malicious plugins, this functionality could have been introduced later on.
The apps in question which contained Igexin had been downloaded more than 100 million times in toto.
According to Lookout, the breakdown of the downloads was:
- Games targeted at teens (one with 50M-100M downloads);
- Weather apps (one with 1M-5M downloads);
- Internet radio (500K-1M downloads);
- Photo editors (1M-5M downloads); and
- Educational, health and fitness, travel, emoji, home video camera apps.
Examples of previously infected apps on Google Play. Lookout says it has confirmed these apps no longer use the Igexin ad SDK with malicious behaviour.
"Like many ad networks, the Igexin service promotes its targeted advertising services that leverage data collected about people such as their interests, occupation, income, and location."
The team at Lookout cottoned on to the presence of Igexin while doing a routine review of apps on the Google Play store that communicated with certain IP addresses and servers known to have served up malware in the past.
While in the midst of this exercise, they noticed an app "downloading large, encrypted files after making an initial request to a REST API at https://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK".
Lookout said not all versions of the Igexin SDK had malicious functionality. "The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at https://sdk[.]open[.]phone[.]igexin[.]com/api.php," it said.
Graphics: courtesy Lookout