An advertising software development kit (SDK) embedded in many legitimate apps has been secretly siphoning user data and sending it to the servers of a Chinese company.

Developed by Chinese firm Igexin, the advertising SDK was found in over 500 apps that were uploaded on the official Google Play Store and had been downloaded over 100 million times across the Android ecosystem.

Investigation started after noticing suspicious API requests

Researchers say they got on the trail of the Igexin SDK after they noticed that known malware samples were being downloaded on clean smartphones after the device made a request to the Igexin API server.

Following months of investigation, researchers from mobile security firm Lookout discovered that Igexin developers were using SDK legitimate functions to send malicious commands to legitimate apps.

Based on the permissions the legitimate apps received from users during installation, Lookout says it observed the SDK collecting all sorts of data from users' devices, but mostly call logs.

In addition, the SDK also forcibly downloaded and ran code contained in large encrypted files. This code aided the malicious behavior.

Apps using Igexin SDK removed from Play Store

Researchers reached out to Google and the developers of the legitimate apps where they found the Igexin SDK being used to simplify the delivery of ads.

Google disabled malicious versions of the apps until app developers could issue updates.

Lookout experts did not mention the names of apps that included the Igexin SDK, as they did not consider that this was their fault. Nonetheless, they provided a generic list of apps where they found the Igexin SDK.

Games targeted at teens (one with 50M-100M downloads)

Weather apps (one with 1M-5M downloads)

Internet radio (500K-1M downloads)

Photo editors (1M-5M downloads)

Educational, health and fitness, travel, emoji, home video camera apps

Something similar happened in late 2016

Last year, researchers from Kryptowire discovered that Adups, a Chinese firmware developer, had included malicious code in the firmware they delivered to Android phone makers.

The malicious code collected a large number of user details and sent the data back to servers in China. Several brands of low-priced Android devices were affected, mainly BLU, and even Barnes & Noble NOOK tablets.

Earlier this month, Adups said it stopped the data collection behavior, but experts disagreed.