Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play (helpnetsecurity.com)

Posted by BeauHD on from the clean-up-house dept.

Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question represent a wide selection of photo editors, Internet radio and travel apps, educational, health and fitness apps, weather apps, and so on, and were downloaded over 100 million times across the Android ecosystem. Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed. "Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system," the researchers pointed out. "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality -- nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."

9 of 58 comments (clear)

  1. List by Anonymous Coward · · Score: 5, Insightful

    What's the point of source material that doesn't include a list of the apps?

    1. Re:List by Ritz_Just_Ritz · · Score: 4, Insightful

      I agree. Without the list of impacted applications, this "warning" is pretty worthless and more of a PR piece.

    2. Re:List by Anonymous Coward · · Score: 5, Insightful

      Translation:" Big, BIG Brand apps were also affected and we don't want to end up on their shit lists."

    3. Re:List by Anonymous Coward · · Score: 4, Insightful

      Not only should a list of the "Apps" be provided, so should a list of the "Developers" who used this SDK. Let's run this down, shall we?
      The Igexin SDK is Adware. "Developers" use it to generate extra income by letting Third Parties deliver Ads within the App. They have the ethics of an Alley-Cat; they don't care what the Ads are for, or assume any responsibility for them.
      They are too stupid, too lazy, or too venal to care. (This is true for anybody who lets Third Party Advertising through. If they don't care to Host or Vet this crap, screw them.)
      All Adware is Malware these days by definition. Top bad, it didn't have to be this way. Also note how delicately wording is being used here. The Apps, the Developers, the Igexin Touts being discussed here are all Chinese Nationals. This is one that can't be blamed on the Russians.
      This is not a knock against the Chinese. If this proves to be an embarrassment enough, China has the will and the means to Disappear those involved.
      So let's see the list of the Apps, and the list of the Names.
      This is the kind of information that needs to be free. For the Embarrassment.

  2. So why aren't these Apps named? by Anonymous Coward · · Score: 4, Insightful

    ... IMHO these Apps should be named ...

    1. Re:So why aren't these Apps named? by Anonymous Coward · · Score: 3, Insightful

      Better yet. Google should present us with an App that verifies if any of them are currently on our devices and offer to remove them.

      Simply pulling from the store amounts to little more than sweeping the problem under the rug.

  3. Wow by Anonymous Coward · · Score: 2, Insightful

    FFS Google, how did you let it get this bad? I thought that you were supposed to be watching out for this kind of stuff. We need a "Install apps from the Google Play Store" toggle in the next version of Android. Default: OFF.

  4. More proof Google is evil by HBI · · Score: 4, Insightful

    Their app store is riddled with malware and they won't identify the malware. That really engenders trust and makes me want to use their stuff.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  5. Bullshit, SDK's should not "hot-fix" by Anonymous Coward · · Score: 3, Insightful

    Possible nefarious behavior aside, this behavior is unacceptable in an "SDK". The developer/development team that created the application developed against a specific version of the SDK and tested against that. If an SDK hot-fixes, you've completely invalidated the testing for that application and possibly broken things in the application. Even if the only thing you're doing is fixing known bugs in the SDK, it's quite possible that the developers implemented code to work around those bugs and fixing it will cause those workarounds will now break (e.g. the API returns ERROR_002 for a certain condition when it should be returning ERROR_001. Problems like this are common in SDKs). So either they are:
    1. Evil programmers who wanted to make your app do something unintended.
    2. Incompetent programmers who could accidently make your app do something unintended.
    Either option sucks.