Written by Patrick Howell O'Neill

This story has been updated with comments from Igexin.

A popular Chinese advertising software development kit, used on over 500 Google Play apps with millions of downloads each, spied on unsuspecting users and developers and secretly took data including GPS data, device identifiers and call logs.

Investigating suspicious traffic during a review of apps that communicate with IPs and servers that have a history of serving malware, researchers from mobile security company Lookout saw an app downloading large, encrypted files after requests to an endpoint used by the Igexin ad software development kit, behavior typical of malware acting after a temporarily clean app installation.

“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server,” the researchers wrote. “Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality – nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.”

The research showed impacted apps using were downloaded over 100 million times in total. Google removed the impacted apps, most of which were not specified by researchers, and replaced them with updated versions without spyware.

Developers who used Igexin as an ad platform were targeted and taken advantage of, Lookout’s vice president Mike Murray told CyberScoop.

“We’ve been not naming names on the developers specifically because it wasn’t their fault,” Murray said. “We’ve been trying to not publicly shame too many of the folks who got infected because they seem to be acting with good faith and signing up with a legitimate ad SDK. [Igenix] seems to be just sketchy across the board, taking too many permissions and stealing data on the side.”

Investigating suspicious traffic during a review of apps that communicate with IPs and servers that have a history of serving malware, researchers from mobile security company Lookout saw an app downloading large, encrypted files after requests to an endpoint used by the Igexin ad software development kit, behavior typical of malware acting after a temporarily clean app installation.

Igexin, a Hangzhou, China-based software firm, targets mostly the domestic Chinese market. The impacted apps ranged from popular gaming, weather, photo and radio app to less popular educational and fitness apps. What happens to the data once it’s taken remains unclear. The exact scope of the stolen data depended on the version of Igexin used in each app.

Igexin did not respond to a request for comment.

This research follows closely on the heels of another Chinese tech firm, Adups, being caught and criticized over the last year for surreptitiously siphoning sensitive user data including the user’s phone number, cell tower, device identifiers and list of installed applications.

The company has been the subject of cybersecurity removal efforts for years. It’s been characterized as a “potentially unwanted app” worth removal since 2015 by Symantec and other major antivirus solutions.

Igexin “has been putting out sketchy stuff for a while,” Murray said. “This isn’t the first time people have caught them taking too many permissions with their ad SDK.”

There is an Igexin SDK for iOS apps, but Lookout researchers didn’t find the same malicious behavior for iOS apps. The reasoning isn’t clear, but Android dominates China with 86.4 percent market share versus iOS’s 13.2 percent.

UPDATE (8/29/2017): After the article was published, Igexin representative Cathy Zhang emailed CyberScoop to explain that the company is working closely with Google to remove the old SDK that violated Google Play Store’s Terms of Service.

Zhang explained that some versions of the SDK used “the PhoneStateListener to detect call state change, in order to bring socket connection back to normal right after a long call. And we also need more information to see approximately how long a call will last and how often there will be a call, on average. We encrypted the phone number and treated just as anonymous ID. In the latest SDK, we don’t need the PhoneStateListener anymore, so the apps that integrate the latest igexin SDK is safe to use.”

“We apologize for the misunderstanding and confusion caused by us,” she said.

Lookout’s researchers confirmed that Igexin removed the plugin download functionalty in the SDK. The call log data could have been decrypted and should have used other methods “to produce unique but anonymous identifiers per phone number and device that are in line with the Google Play terms of service.”