Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play (helpnetsecurity.com)

Posted by BeauHD on from the clean-up-house dept.

Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question represent a wide selection of photo editors, Internet radio and travel apps, educational, health and fitness apps, weather apps, and so on, and were downloaded over 100 million times across the Android ecosystem. Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed. "Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system," the researchers pointed out. "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality -- nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."

58 comments

  1. List by Anonymous Coward · · Score: 5, Insightful

    What's the point of source material that doesn't include a list of the apps?

    1. Re:List by Ritz_Just_Ritz · · Score: 4, Insightful

      I agree. Without the list of impacted applications, this "warning" is pretty worthless and more of a PR piece.

    2. Re:List by Anonymous Coward · · Score: 0

      The affected apps should be removed automatically by Google Play, assuming these devices connect online at some point.

    3. Re:List by TheDarkMaster · · Score: 2

      I also agree. Whats the point of the warning if you can not see which applications are affected?

      --
      Religion: The greatest weapon of mass destruction of all time
    4. Re:List by Anonymous Coward · · Score: 4, Interesting

      Not a ideal solution. You might have data and whatnot on these apps.

      Also, doing it automatically makes Google look like Microsoft and their Windows 10 updates. I guess it's just not good PR.

    5. Re:List by swillden · · Score: 4, Informative

      What's the point of source material that doesn't include a list of the apps?

      According to the Ars Technica article, the researchers say they didn't publish a list of the apps to avoid punishing app developers who didn't realize that the Igexin SDK could download and execute plugins which could potentially exfiltrate user data that the app had permission to see.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:List by Anonymous Coward · · Score: 5, Insightful

      Translation:" Big, BIG Brand apps were also affected and we don't want to end up on their shit lists."

    7. Re:List by Anonymous Coward · · Score: 0

      Oh how quickly we forget how Microsoft abused the whole update process, faking telemetry updates as "critical".

    8. Re:List by Anonymous Coward · · Score: 1

      The XcodeGhost is malicious and the public is made aware with the list of affected apps. I would say this lgexin would not be that much different from the iOS debacle. At the very least, the apps should be revealed later after the publishers (at least those who were given a chance) had fixed the issue, similar to how security holes and exploits are properly publicized. Those who do not fix it in time must be outed as well to prevent further abuse by the developers of the SDK.

    9. Re:List by Anonymous Coward · · Score: 4, Insightful

      Not only should a list of the "Apps" be provided, so should a list of the "Developers" who used this SDK. Let's run this down, shall we?
      The Igexin SDK is Adware. "Developers" use it to generate extra income by letting Third Parties deliver Ads within the App. They have the ethics of an Alley-Cat; they don't care what the Ads are for, or assume any responsibility for them.
      They are too stupid, too lazy, or too venal to care. (This is true for anybody who lets Third Party Advertising through. If they don't care to Host or Vet this crap, screw them.)
      All Adware is Malware these days by definition. Top bad, it didn't have to be this way. Also note how delicately wording is being used here. The Apps, the Developers, the Igexin Touts being discussed here are all Chinese Nationals. This is one that can't be blamed on the Russians.
      This is not a knock against the Chinese. If this proves to be an embarrassment enough, China has the will and the means to Disappear those involved.
      So let's see the list of the Apps, and the list of the Names.
      This is the kind of information that needs to be free. For the Embarrassment.

    10. Re:List by Anonymous Coward · · Score: 0

      mod parent up

    11. Re:List by The+MAZZTer · · Score: 2

      Android already warns users if they have apps installed, sideloaded or not, that are suspicious. I expect Google will (if they haven't already) roll out new malware definitions which will alert users who have one of these apps installed.

    12. Re:List by Anonymous Coward · · Score: 0

      How much do you want to bet that every one of the affected apps is available at no charge?

  2. So why aren't these Apps named? by Anonymous Coward · · Score: 4, Insightful

    ... IMHO these Apps should be named ...

    1. Re:So why aren't these Apps named? by Anonymous Coward · · Score: 3, Insightful

      Better yet. Google should present us with an App that verifies if any of them are currently on our devices and offer to remove them.

      Simply pulling from the store amounts to little more than sweeping the problem under the rug.

    2. Re:So why aren't these Apps named? by sabbede · · Score: 3, Informative

      Igexin won't name them either. Like many companies, they have a page on their site to brag on who uses their SDK. None are listed.

    3. Re: So why aren't these Apps named? by Anonymous Coward · · Score: 0

      Lookout and AVG scanners supposedly already detect this threat.

    4. Re:So why aren't these Apps named? by bobstreo · · Score: 2

      Better yet. Google should present us with an App that verifies if any of them are currently on our devices and offer to remove them.

      Simply pulling from the store amounts to little more than sweeping the problem under the rug.

      Don't forget the refund if they're non-free apps.

    5. Re:So why aren't these Apps named? by The+MAZZTer · · Score: 1

      Android already does this. If you have software on your phone Google has flagged, and unless you have disabled the scanner in Android settings, you get a notification about it. Sideloaded or from Play Store, doesn't matter. You can test with SELinuxModeChanger, which changes SELinux policy status (if you're rooted) and thus Google has flagged it. Sideloading it should be enough to trigger the prompt if you want to see it.

  3. Re:Typical Micro$oft by Anonymous Coward · · Score: 0

    You realize this article is about a Linux based OS right?

  4. Wow by Anonymous Coward · · Score: 2, Insightful

    FFS Google, how did you let it get this bad? I thought that you were supposed to be watching out for this kind of stuff. We need a "Install apps from the Google Play Store" toggle in the next version of Android. Default: OFF.

  5. Some people will noit be happy by houghi · · Score: 1, Funny

    The NSA will be sooo pissed that we locked them out. And with that all the other agencies all over the world.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re: Some people will noit be happy by Anonymous Coward · · Score: 0

      In a talk from a high level ex-NSA/CIA/DOD, he said only an idiot would use android due to security.

  6. Outraged by Anonymous Coward · · Score: 2

    Only Google's homegrown spyware is allowed on my phone! None of this third-party spyware for me.

  7. If anyone is interested in what Igexin says... by sabbede · · Score: 4, Interesting
    They have a response on their website, but for some reason won't allow it to be translated in-place like the bulk of their site. Copy&paste worked though:

    Key words: August 23, 2017 morning, the domestic website reported entitled "Google removed Google Play on more than 500 malicious applications" and other related content, and point to the Igexin SDK security issues. It is understood that the content from a foreign media reports, due to foreign technical staff on the Division I technical mechanism to understand the bias, mistakenly SDK hot fix function is understood as the back of the malicious software download, resulting in part of the domestic media translation, Interpretation, there are some misunderstandings.

    With the hot fix function of the SDK, App is an important part of the operation, if the bug because it will cause the failure of App can not work, developers need to re-issue, in order to ensure that App can be used as soon as possible, this technology is the domestic many App developers Required to join, and is widely used for business function updates and problem fixes.

    With regard to hot fix technology, Apple and Google have made the latest restrictions since this year, changing the rules that allowed the use of hot updates before.

    The Google Developer Center website is up to date

    For apps distributed via Google Play, you may not modify, replace, or update the app itself in any manner other than the Google Play update mechanism. Likewise, the application may not download executable code (such as dex, JAR, and .so files) from sources other than Google Play. This restriction does not apply to code that runs on a virtual machine and has limited access to the Android API (such as JavaScript in a WebView or browser).

    When we received some app developer feedback, we contacted the Google team for the first time, communicated the matter, followed by the hot fix, and provided the SDK version that meets the latest Google Play review requirements. The use of the relevant version of the SDK SDK developers have updated the version, and re-Google shelves, previously encountered security tips and other issues have also been properly resolved. Foreign media mentioned in the original text of the test occurred in the Google review strategy adjustment period, the text involved in the SDK for the earlier version, has been rarely used. In the future, we will work closely with domestic and foreign testing organizations to avoid such incidents from happening again.

    We apologize for the distress caused by the developers and the media units.

    Thank you again for the support of our company as always. We will continue to optimize the technology for the majority of developers to provide more quality services!

    1. Re:If anyone is interested in what Igexin says... by Anonymous Coward · · Score: 0

      How many times was this run through Google translate?

    2. Re:If anyone is interested in what Igexin says... by Anonymous Coward · · Score: 0

      Igexin

      Sounds a lot like 'I gets in' doesn't it ;)

  8. Oreo makes "Unknown sources" per-app by tepples · · Score: 1

    Android 8 "Oreo" has moved "Install apps from unknown sources" from a system-wide setting to a finer-grained permission for each app. This means F-Droid users won't need to put the whole operating system's shields down anymore. So if you have Oreo, and you don't download from Google Play Store, and you "Uninstall updates/Disable" any carrier-installed crap that's not part of AOSP or other core functionality, then you sacrifice a few genres of apps but gain the theoretical safety of publicly auditable software that F-Droid's inclusion policy enables.

    As for the install permission on Google Play Store, on the one hand, you'd want to leave it off to keep kids from installing crap. On the other hand, you'd want to leave it on to apply security updates to core OS components, such as Google Chrome and Gboard. But until Oreo gets delivered OTA, I don't know how to find out whether this setting would even work for Google Play Store.

  9. Well... by argStyopa · · Score: 2

    ...mightn't it be useful somewhere to list the apps that were pulled, and or their authors?

    --
    -Styopa
  10. Android itself is a security flaw by Anonymous Coward · · Score: 2

    So they once have flaws in their walled garden store that allow malware on to people's devices, then don't even tell them which ones they were. They have had flaws in the past, and who knows how many more are yet to be discovered.

    While they do monthly "security updates" less than 1% of users actually get them in a timely manner most will never get them at all and you can forget about large OS updates.

    One of these days some horrible malware is going to hit most of their users and once that happens, it will happen over and over and over again. Very similar to what happened with MS and windows xp in the beginning. Maybe then google will take security seriously and have a sane update model that won't leave their users screwed. Maybe. Probably not.

    1. Re:Android itself is a security flaw by Anonymous Coward · · Score: 0

      Android's security model is more robust than iOS's. However, the issue is how things are curated. Apple is a brutal and capricious caretaker, while Google is reactive.

      Apple is definitely winning. We are going on ten years with iOS, and there has yet to be a single piece of malware to be found in the wild. Impressive, especially for the largest OS ecosystem out there.

    2. Re:Android itself is a security flaw by Ol+Olsoc · · Score: 1

      Android's security model is more robust than iOS's. However, the issue is how things are curated. Apple is a brutal and capricious caretaker, while Google is reactive.

      A reactive security model is more robust than a proactive one?

      Especially one that doesn't notify the victims of the malware which apps are screwing their pooch.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Android itself is a security flaw by thejynxed · · Score: 1

      Google is already working on changes to their update mechanisms for Android (and Android's successor OS test builds) that cut out the cause of delayed/non-existent updates entirely: Wireless companies like Verizon.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  11. Good for Google, about time! by Anonymous Coward · · Score: 0

    This should have happened a long time ago, but better late then never I guess. It appears that the apps are the avenue of choice these days to try and harvest data from users. Especially on the Android side where a lax environment exists for sketchy apps to make their way onto the store.

  12. Hmmm. I wonder. by Anonymous Coward · · Score: 0

    I wonder if F-Droid has more or fewer than 500 backdoored apps. Man, if we could only check the source of the apps on F-Droid, that would be great!

  13. Fuck Steve Jobs! Fuck Walled Gardens! by Anonymous Coward · · Score: 0

    Why is Apple always telling people what apps they are allowed to install on their phones! This is an OUTRAGE!!!!11one

    Oh, what's that? This article is about Google? Carry on, then.

  14. More proof Google is evil by HBI · · Score: 4, Insightful

    Their app store is riddled with malware and they won't identify the malware. That really engenders trust and makes me want to use their stuff.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:More proof Google is evil by thegarbz · · Score: 1

      The system has worked and the problem is rendered safe. Many developers would not have known what this code does as it is part of a 3rd party SDK. There's as much sense in identifying this malware as there is posting the names of people who's computers were hit by Petya

    2. Re:More proof Google is evil by HBI · · Score: 1

      An advertising toolkit with malware embedded in it...yes, you haven't been captured by the system at all. I bought a phone and now it's ok to include advertising toolkits with embedded malware in the applications on it without my knowledge. The vendor of the phone knows this, but won't tell anyone which ones to avoid, to protect their bottom line instead of the users.

      Disclosure is always the right move. This is just another data point on the "Google is Evil" path to hell.

      Google's bottom line must be pummeled, as a result.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:More proof Google is evil by chihowa · · Score: 1

      These developers used a sketchy malware-laden "monetization" package without bothering to find out what it really does. Now that they can't use this sketchy malware-laden "monetization" package, they're going to have to quickly integrate some other sketchy malware-laden "monetization" package to keep the money rolling in. They will reoffend and not identifying them facilitates this.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  15. Google's future? by Anonymous Coward · · Score: 1

    These apps are downloaded over 100 million times and Google just takes action now. I think that says some thing negative about Google and how they do business. I hope Google will be more responsible in the future. Are there legal uses for the Igexin SDK?

    1. Re: Google's future? by Anonymous Coward · · Score: 2, Informative

      Lgexin was a legitimate ad network at one point, but it contained an update mechanism which could be abused later (and downloading malicious components later was one way to evade Google's malware scanners). The apps are being removed/updated to prevent future abuse, not only to stop current abuse; The list of affected app is being witheld because not all of the apps/developers were malcious.

    2. Re: Google's future? by Anonymous Coward · · Score: 0

      So protect the developers and screw the users? nice.

    3. Re: Google's future? by epine · · Score: 1

      The list of affected app is being withheld because not all of the apps/developers were malicious.

      But what about the user who wants to swab his or her throbbing anus to see if the macro-penis assailant was microbiologically weaponized?

      We need a list.

      Aren't you being way too concerned about the wrong side of this?

    4. Re: Google's future? by Anonymous Coward · · Score: 0

      "Lgexin was a legitimate ad network at one point..."

      There is no such thing. You are very naive. Or disingenuous as hell. Either way, you suck. Oh, it's _I_gexin you twat.

      "...The list of affected app is being witheld because not all of the apps/developers were malcious."

      Yes, they were all malicious. ( i see what you missed there.) Or very naive. Either way, they suck.
      This SDK exists for one overt reason- To deliver Third Party Ads within paid-for Applications for the profit of these Developers, Igexin, their Partners, and the Men Behind the Curtains. The means used to Target these Ads are fundamentally corrupt; of course they were meant to be abused from the very beginning.
      Igexin has a long history of these kinds of shenanigans, as is their Domain Registrar, Xin Net Technology Corporation.
      Note that we in the West haven't much to worry about; this plot was targeting Chinese Nationals.

  16. Doesn't matter by volodymyrbiryuk · · Score: 4, Interesting

    Dumb ass users will complain that one of their favorite apps is gone and install it from 3rd party. And then complain that their phones are compromised.

    --
    sudo rm -r -f --no-preserve-root /
  17. Bullshit, SDK's should not "hot-fix" by Anonymous Coward · · Score: 3, Insightful

    Possible nefarious behavior aside, this behavior is unacceptable in an "SDK". The developer/development team that created the application developed against a specific version of the SDK and tested against that. If an SDK hot-fixes, you've completely invalidated the testing for that application and possibly broken things in the application. Even if the only thing you're doing is fixing known bugs in the SDK, it's quite possible that the developers implemented code to work around those bugs and fixing it will cause those workarounds will now break (e.g. the API returns ERROR_002 for a certain condition when it should be returning ERROR_001. Problems like this are common in SDKs). So either they are:
    1. Evil programmers who wanted to make your app do something unintended.
    2. Incompetent programmers who could accidently make your app do something unintended.
    Either option sucks.

  18. App should submit contact url. by Anonymous Coward · · Score: 0

    Apps should submit their contact URLs/servers to playstore. The Android permissions should white list the app connections during installation. If a app tries to connect any other url after install, it should be denied.

  19. "trusted app stores" by Anonymous Coward · · Score: 0

    You lost me on a sanity-and-seriousness scales when you used the words "trusted app stores" for a repo of proprietary software. It is impossible to trust something which can't be audited. No, I'm not saying we all need to be Theo de Raadt, but if you're not even trying, then you're not even trying.

    It's pretty disgusting that Google and Apple are so dominating our handheld PCs, because they're so markedly inferior to what are otherwise our usual quality standards. You would never put up with this shit on your server or desktop. As if the stakes on your handheld are any lower!!

    We need to kill Android and iOS. They are shaping up to be the Democrats and Republicans of PCs!

  20. It's probably a good time by bobstreo · · Score: 1

    For google play to get a whole lot more serious about application security checks before allowing them to become available.

    The play store should be held (financially/legally) responsible when issues like this occur.

  21. Google creates a botnet the size of 100,000,000 by Anonymous Coward · · Score: 0

    And nothing happens

  22. only way to fix this-3rd party history app for goo by Anonymous Coward · · Score: 0

    This is a fiasco...

    500 apps with a backdoor, and I'm certain there will be many more in the coming weeks...

    We need a 3rd party/open source google apps tracker, that auto highlights which apps get pulled, so they can't hide this nonsense.
    Name and shame ALL the devs/companies associated with this, otherwise, they'll just try to sneak around with more bs

  23. Re:Typical Micro$oft by Anonymous Coward · · Score: 0

    PROTIP: Don't try to reverse-troll unless you actually know WTF you are doing, dumbass.