According to research by cybersecurity company Lookout, and first reported by ArsTechnica, a malicious advertising software development kit (SDK) called Igexin was recently uploaded to the store so app developers could easily plug an advertising platform into their apps. But, the SDK was stealing the personal data of users without the app makers knowing about the data heist. Over 500 apps in the Google Play store used the spyware-ridden advertising SDK and people downloaded the apps over 100 million times, Lookout says.
"While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience," Lookout writes in a blog post about its research.
Lookout did not publish a full list of apps that were affected, but it did say that Lucky Cash and SelfieCity had used the malicious SDK before getting fixed. Other apps that contained the SDK included teen video games, weather apps, photo editing apps, fitness, and even emoji apps.
Researchers came upon the malware after they started watching suspicious traffic as part of a routine review of apps. They found a traffic pattern associated with malware that "downloads and executes code after an initially 'clean' app is installed," said Lookout, explaining that malware authors use this technique to get their malware inside trustworthy apps to evade detection by companies like Google and Apple.
Google removed and or fixed all of the apps that Lookout reported to have been infected with the malware.