Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play

Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question represent a wide selection of photo editors, Internet radio and travel apps, educational, health and fitness apps, weather apps, and so on, and were downloaded over 100 million times across the Android ecosystem. Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed. "Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system," the researchers pointed out. "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality -- nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."

List

[Anonymous Coward]

What's the point of source material that doesn't include a list of the apps?

Re:List

[Ritz_Just_Ritz]

I agree. Without the list of impacted applications, this "warning" is pretty worthless and more of a PR piece.

Re:List

[Anonymous Coward]

Not a ideal solution. You might have data and whatnot on these apps.

Also, doing it automatically makes Google look like Microsoft and their Windows 10 updates. I guess it's just not good PR.

Re:

[The MAZZTer]

Android already warns users if they have apps installed, sideloaded or not, that are suspicious. I expect Google will (if they haven't already) roll out new malware definitions which will alert users who have one of these apps installed.

Re:

[TheDarkMaster]

I also agree. Whats the point of the warning if you can not see which applications are affected?

Re:List

[swillden]

What's the point of source material that doesn't include a list of the apps?

According to the Ars Technica [arstechnica.com] article, the researchers say they didn't publish a list of the apps to avoid punishing app developers who didn't realize that the Igexin SDK could download and execute plugins which could potentially exfiltrate user data that the app had permission to see.

Re:List

[Anonymous Coward]

Translation:" Big, BIG Brand apps were also affected and we don't want to end up on their shit lists."

Re:

[Anonymous Coward]

The XcodeGhost is malicious and the public is made aware with the list of affected apps. I would say this lgexin would not be that much different from the iOS debacle. At the very least, the apps should be revealed later after the publishers (at least those who were given a chance) had fixed the issue, similar to how security holes and exploits are properly publicized. Those who do not fix it in time must be outed as well to prevent further abuse by the developers of the SDK.

Re:List

[Anonymous Coward]

Not only should a list of the "Apps" be provided, so should a list of the "Developers" who used this SDK. Let's run this down, shall we?
The Igexin SDK is Adware. "Developers" use it to generate extra income by letting Third Parties deliver Ads within the App. They have the ethics of an Alley-Cat; they don't care what the Ads are for, or assume any responsibility for them.
They are too stupid, too lazy, or too venal to care. (This is true for anybody who lets Third Party Advertising through. If they don't care to Host or Vet this crap, screw them.)
All Adware is Malware these days by definition. Top bad, it didn't have to be this way. Also note how delicately wording is being used here. The Apps, the Developers, the Igexin Touts being discussed here are all Chinese Nationals. This is one that can't be blamed on the Russians.
This is not a knock against the Chinese. If this proves to be an embarrassment enough, China has the will and the means to Disappear those involved.
So let's see the list of the Apps, and the list of the Names.
This is the kind of information that needs to be free. For the Embarrassment.

So why aren't these Apps named?

[Anonymous Coward]

... IMHO these Apps should be named ...

Re:

[Anonymous Coward]

Better yet. Google should present us with an App that verifies if any of them are currently on our devices and offer to remove them.

Simply pulling from the store amounts to little more than sweeping the problem under the rug.

Re:

[bobstreo]

Better yet. Google should present us with an App that verifies if any of them are currently on our devices and offer to remove them.

Simply pulling from the store amounts to little more than sweeping the problem under the rug.

Don't forget the refund if they're non-free apps.

Re:

[The MAZZTer]

Android already does this. If you have software on your phone Google has flagged, and unless you have disabled the scanner in Android settings, you get a notification about it. Sideloaded or from Play Store, doesn't matter. You can test with SELinuxModeChanger, which changes SELinux policy status (if you're rooted) and thus Google has flagged it. Sideloading it should be enough to trigger the prompt if you want to see it.

Re:So why aren't these Apps named?

[sabbede]

Igexin won't name them either. Like many companies, they have a page on their site to brag on who uses their SDK. None are listed.

Wow

[Anonymous Coward]

FFS Google, how did you let it get this bad? I thought that you were supposed to be watching out for this kind of stuff. We need a "Install apps from the Google Play Store" toggle in the next version of Android. Default: OFF.

Oreo makes "Unknown sources" per-app

[tepples]

Android 8 "Oreo" has moved "Install apps from unknown sources" from a system-wide setting to a finer-grained permission for each app [googleblog.com]. This means F-Droid users won't need to put the whole operating system's shields down anymore. So if you have Oreo, and you don't download from Google Play Store, and you "Uninstall updates/Disable" any carrier-installed crap that's not part of AOSP or other core functionality, then you sacrifice a few genres of apps [pineight.com] but gain the theoretical safety of publicly auditable softwa

Re:

[account_deleted]

Comment removed based on user account deletion

Outraged

[Anonymous Coward]

Only Google's homegrown spyware is allowed on my phone! None of this third-party spyware for me.

If anyone is interested in what Igexin says...

[sabbede]

They have a response on their website, but for some reason won't allow it to be translated in-place like the bulk of their site. Copy&paste worked though:

Key words: August 23, 2017 morning, the domestic website reported entitled "Google removed Google Play on more than 500 malicious applications" and other related content, and point to the Igexin SDK security issues. It is understood that the content from a foreign media reports, due to foreign technical staff on the Division I technical mechanism to understand the bias, mistakenly SDK hot fix function is understood as the back of the malicious software download, resulting in part of the domestic media translation, Interpretation, there are some misunderstandings.

With the hot fix function of the SDK, App is an important part of the operation, if the bug because it will cause the failure of App can not work, developers need to re-issue, in order to ensure that App can be used as soon as possible, this technology is the domestic many App developers Required to join, and is widely used for business function updates and problem fixes.

With regard to hot fix technology, Apple and Google have made the latest restrictions since this year, changing the rules that allowed the use of hot updates before.

The Google Developer Center website is up to date

For apps distributed via Google Play, you may not modify, replace, or update the app itself in any manner other than the Google Play update mechanism. Likewise, the application may not download executable code (such as dex, JAR, and .so files) from sources other than Google Play. This restriction does not apply to code that runs on a virtual machine and has limited access to the Android API (such as JavaScript in a WebView or browser).

When we received some app developer feedback, we contacted the Google team for the first time, communicated the matter, followed by the hot fix, and provided the SDK version that meets the latest Google Play review requirements. The use of the relevant version of the SDK SDK developers have updated the version, and re-Google shelves, previously encountered security tips and other issues have also been properly resolved. Foreign media mentioned in the original text of the test occurred in the Google review strategy adjustment period, the text involved in the SDK for the earlier version, has been rarely used. In the future, we will work closely with domestic and foreign testing organizations to avoid such incidents from happening again.

We apologize for the distress caused by the developers and the media units.

Thank you again for the support of our company as always. We will continue to optimize the technology for the majority of developers to provide more quality services!

Bullshit, SDK's should not "hot-fix"

[Anonymous Coward]

Possible nefarious behavior aside, this behavior is unacceptable in an "SDK". The developer/development team that created the application developed against a specific version of the SDK and tested against that. If an SDK hot-fixes, you've completely invalidated the testing for that application and possibly broken things in the application. Even if the only thing you're doing is fixing known bugs in the SDK, it's quite possible that the developers implemented code to work around those bugs and fixing it w

Well...

[argStyopa]

...mightn't it be useful somewhere to list the apps that were pulled, and or their authors?

Android itself is a security flaw

[Anonymous Coward]

So they once have flaws in their walled garden store that allow malware on to people's devices, then don't even tell them which ones they were. They have had flaws in the past, and who knows how many more are yet to be discovered.

While they do monthly "security updates" less than 1% of users actually get them in a timely manner most will never get them at all and you can forget about large OS updates.

One of these days some horrible malware is going to hit most of their users and once that happens, it will

Re:

[Ol Olsoc]

Android's security model is more robust than iOS's. However, the issue is how things are curated. Apple is a brutal and capricious caretaker, while Google is reactive.

A reactive security model is more robust than a proactive one?

Especially one that doesn't notify the victims of the malware which apps are screwing their pooch.

Re:

[thejynxed]

Google is already working on changes to their update mechanisms for Android (and Android's successor OS test builds) that cut out the cause of delayed/non-existent updates entirely: Wireless companies like Verizon.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

The system has worked and the problem is rendered safe. Many developers would not have known what this code does as it is part of a 3rd party SDK. There's as much sense in identifying this malware as there is posting the names of people who's computers were hit by Petya

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[chihowa]

These developers used a sketchy malware-laden "monetization" package without bothering to find out what it really does. Now that they can't use this sketchy malware-laden "monetization" package, they're going to have to quickly integrate some other sketchy malware-laden "monetization" package to keep the money rolling in. They will reoffend and not identifying them facilitates this.

Google's future?

[Anonymous Coward]

These apps are downloaded over 100 million times and Google just takes action now. I think that says some thing negative about Google and how they do business. I hope Google will be more responsible in the future. Are there legal uses for the Igexin SDK?

Re: Google's future?

[Anonymous Coward]

Lgexin was a legitimate ad network at one point, but it contained an update mechanism which could be abused later (and downloading malicious components later was one way to evade Google's malware scanners). The apps are being removed/updated to prevent future abuse, not only to stop current abuse; The list of affected app is being witheld because not all of the apps/developers were malcious.

Re:

[epine]

The list of affected app is being withheld because not all of the apps/developers were malicious.

But what about the user who wants to swab his or her throbbing anus to see if the macro-penis assailant was microbiologically weaponized?

We need a list.

Aren't you being way too concerned about the wrong side of this?

Doesn't matter

[volodymyrbiryuk]

Dumb ass users will complain that one of their favorite apps is gone and install it from 3rd party. And then complain that their phones are compromised.

It's probably a good time

[bobstreo]

For google play to get a whole lot more serious about application security checks before allowing them to become available.

The play store should be held (financially/legally) responsible when issues like this occur.