Through the use of an advertising software development kit contained in 500 apps on the Google Play Store, cybercriminals were able to spy on users and even infect their mobile devices with malware (opens in new tab).
That's according to security firm Lookout (opens in new tab) , which discovered that the Android apps in question all had the lgexin ad SDK built into them which gave unauthorised third parties access to user devices. The apps themselves also managed to be downloaded over 100 million times from the Google Play Store as many of them fell into popular categories such as weather, health and fitness, travel and games.
However, the app developers were likely not responsible for the malware added by the cybercriminals and this is not the first time that hackers have used an SDK to deliver a malicious payload.
Lookout researchers offered further details on why the developers were likely unaware that their apps contained malware at all, saying:
“It is likely many app developers were not aware of the personal information that could be exfiltrated from their customers' devices as a result of embedding Igexin's ad SDK. It required deep analysis of the apps' and ad SDK's behavior by our researchers to make this discovery. Not only is the functionality not immediately obvious, it could be altered at any time on the remote server.”
In an attempt to prevent apps from being able to deliver malware to mobile devices, Google recently introduced Google Play Protect (opens in new tab) which will be built into the latest version of its mobile OS, Android O (opens in new tab).
Lookout has informed Google of its discover and all of the affected apps have now been removed from the Play Store.
Image Credit: Andriano.cz / Shutterstock