Adware API sends smartmobe data home to Chinese company

Google pulls 500 apps that used the Igexin SDK


Mobile developers, listen up: when you pick up that easy-to-use advertising API, make sure it's not snoopware.

That's the lesson, the take-out, or (god have mercy on my soul) key learning from work by security outfit Lookout, whose analysis of the Igexin advertising SDK ended with hundreds of apps returning “not found” on Google Play.

The firm found the SDK behaved badly by watching over smartphones and saving call time, calling number, and call state and sending that back to igexin.com.

More than 500 apps that Lookout checked were carrying the SDK, after the company's researchers spotted apps communicating with malware-associated IP addresses and wondered why.

“We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK”, the company explains here.

“The encrypted file downloads and the presence of calls within the com.igexin namespace to Android's dalvik.system.DexClassLoade (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload.”

From there, the researchers went on to find that some versions of the SDK had a framework allowing the client to load arbitrary code, getting their instructions from the endpoint http://sdk[.]open[.]phone[.]igexin[.]com/api.php.

The app would then download and load JAR files that implemented the SDK's “phone home” capability. And, as the discussion notes, neither the user nor an app's developer have any control over what happens: “Users and app developers have no control over what will be executed on a device after the remote API request is made”.

While the amount of data the app could exfiltrate was still constrained by Android's permissions, Lookout says in addition to call logging, it still spotted one app that exfiltrated user logs.

While Lookout doesn't say “apps phoned home to China”, they didn't stop far short of making that allegation. The igexin.com domain's registrar is Beijing-based Xin Net Technology Corporation, a registrar in the past named as spam-friendly, and as having breached its registrar agreement by ICANN [PDF] in 2014. ®

Similar topics

Broader topics


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading

Biting the hand that feeds IT © 1998–2022