Over 500 apps from the Android Play Store which had been downloaded more than 100 million times combined, may have installed spyware to the users’ devices, according to a discovery by mobile cybersecurity company Lookout.
The company found that the advertising software development kit (SDK) by Igexin was responsible, targeting games for teenagers, weather and radio apps as well as photo editing, educational and travel applications.
Although not all apps have been confirmed to download the malicious spyware, Igexin had the capability to do so.
In a blog post, Lookout confirms:
It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.
Among the games that contained the SDK, one had been downloaded up to 100 million times, whilst a weather and photo editing app had between one to five million downloads. The apps LuckyCash and SelfieCity were among those affected.
Following the findings, Google was notified by Lookout and the apps have since been removed from the Play Store or were replaced with versions that do not contain the SDK. Lookout did confirm that not all versions of Igexin were malicious.
Earlier this month, both Google and Apple had removed over 300 financial apps from their app stores after the Australian Securities and Investments Commission flagged that the app operators did not have the licenses required to operate financial apps.