Adware API sends smartmobe data home to Chinese company

Google pulls 500 apps that used the Igexin SDK

Mobile developers, listen up: when you pick up that easy-to-use advertising API, make sure it's not snoopware.

That's the lesson, the take-out, or (god have mercy on my soul) key learning from work by security outfit Lookout, whose analysis of the Igexin advertising SDK ended with hundreds of apps returning “not found” on Google Play.

The firm found the SDK behaved badly by watching over smartphones and saving call time, calling number, and call state and sending that back to

More than 500 apps that Lookout checked were carrying the SDK, after the company's researchers spotted apps communicating with malware-associated IP addresses and wondered why.

“We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.], which is an endpoint used by the Igexin ad SDK”, the company explains here.

“The encrypted file downloads and the presence of calls within the com.igexin namespace to Android's dalvik.system.DexClassLoade (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload.”

From there, the researchers went on to find that some versions of the SDK had a framework allowing the client to load arbitrary code, getting their instructions from the endpoint http://sdk[.]open[.]phone[.]igexin[.]com/api.php.

The app would then download and load JAR files that implemented the SDK's “phone home” capability. And, as the discussion notes, neither the user nor an app's developer have any control over what happens: “Users and app developers have no control over what will be executed on a device after the remote API request is made”.

While the amount of data the app could exfiltrate was still constrained by Android's permissions, Lookout says in addition to call logging, it still spotted one app that exfiltrated user logs.

While Lookout doesn't say “apps phoned home to China”, they didn't stop far short of making that allegation. The domain's registrar is Beijing-based Xin Net Technology Corporation, a registrar in the past named as spam-friendly, and as having breached its registrar agreement by ICANN [PDF] in 2014. ®

Keep Reading

UEFI malware rears ugly head again: Kaspersky uncovers campaign with whiff of China

It's like Hacking Team all over again

China-linked hacking gang ‘APT10’ named as probable actor behind extended attacks on Japanese companies

Campaign even targeted branch offices inside China and sought secrets of automotive and engineering companies

After first floating $20bn penalty, DoJ suggests $60m fine for UMC's theft of Micron’s DRAM secrets

Taiwanese chipmaker promises ‘substantial assistance’ in ongoing China IP theft action

Good: US boasts it collared two in Chinese hacking bust. Bad: They aren't the actual hackers, rest are safe in China

Ugly: And it's all about video game robberies at this stage

China tells America, with a straight face, it will absolutely crack down on hacking and copyright, tech blueprint theft

Wow, it's all coming up Trump right now, huh?

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Black Hat Exploit an 3l33t zero-day and reverse-shell that backend DB proxy server... or simply pay this farmer off

China and Taiwan aren't great friends. Zoom sends chats through China. So Taiwan has banned Zoom

Government and local business told to buy local, but slum it with Google or Microsoft if you must

Clowns to the left to me, jokers to the right, here I am, stuck in the middle with EU: Google faces antitrust war with America, China

Search, mobile OS domination under fire from both sides of the planet

Biting the hand that feeds IT © 1998–2020