Mobile developers, listen up: when you pick up that easy-to-use advertising API, make sure it's not snoopware.
That's the lesson, the take-out, or (god have mercy on my soul) key learning from work by security outfit Lookout, whose analysis of the Igexin advertising SDK ended with hundreds of apps returning “not found” on Google Play.
The firm found the SDK behaved badly by watching over smartphones and saving call time, calling number, and call state and sending that back to
More than 500 apps that Lookout checked were carrying the SDK, after the company's researchers spotted apps communicating with malware-associated IP addresses and wondered why.
“We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at
http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK”, the company explains here.
“The encrypted file downloads and the presence of calls within the
com.igexin namespace to Android's
dalvik.system.DexClassLoade (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload.”
From there, the researchers went on to find that some versions of the SDK had a framework allowing the client to load arbitrary code, getting their instructions from the endpoint
The app would then download and load JAR files that implemented the SDK's “phone home” capability. And, as the discussion notes, neither the user nor an app's developer have any control over what happens: “Users and app developers have no control over what will be executed on a device after the remote API request is made”.
While the amount of data the app could exfiltrate was still constrained by Android's permissions, Lookout says in addition to call logging, it still spotted one app that exfiltrated user logs.
While Lookout doesn't say “apps phoned home to China”, they didn't stop far short of making that allegation. The
igexin.com domain's registrar is Beijing-based Xin Net Technology Corporation, a registrar in the past named as spam-friendly, and as having breached its registrar agreement by ICANN [PDF] in 2014. ®