Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play

Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question represent a wide selection of photo editors, Internet radio and travel apps, educational, health and fitness apps, weather apps, and so on, and were downloaded over 100 million times across the Android ecosystem. Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed. "Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system," the researchers pointed out. "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality -- nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."

If anyone is interested in what Igexin says...

[sabbede]

They have a response on their website, but for some reason won't allow it to be translated in-place like the bulk of their site. Copy&paste worked though:

Key words: August 23, 2017 morning, the domestic website reported entitled "Google removed Google Play on more than 500 malicious applications" and other related content, and point to the Igexin SDK security issues. It is understood that the content from a foreign media reports, due to foreign technical staff on the Division I technical mechanism to understand the bias, mistakenly SDK hot fix function is understood as the back of the malicious software download, resulting in part of the domestic media translation, Interpretation, there are some misunderstandings.

With the hot fix function of the SDK, App is an important part of the operation, if the bug because it will cause the failure of App can not work, developers need to re-issue, in order to ensure that App can be used as soon as possible, this technology is the domestic many App developers Required to join, and is widely used for business function updates and problem fixes.

With regard to hot fix technology, Apple and Google have made the latest restrictions since this year, changing the rules that allowed the use of hot updates before.

The Google Developer Center website is up to date

For apps distributed via Google Play, you may not modify, replace, or update the app itself in any manner other than the Google Play update mechanism. Likewise, the application may not download executable code (such as dex, JAR, and .so files) from sources other than Google Play. This restriction does not apply to code that runs on a virtual machine and has limited access to the Android API (such as JavaScript in a WebView or browser).

When we received some app developer feedback, we contacted the Google team for the first time, communicated the matter, followed by the hot fix, and provided the SDK version that meets the latest Google Play review requirements. The use of the relevant version of the SDK SDK developers have updated the version, and re-Google shelves, previously encountered security tips and other issues have also been properly resolved. Foreign media mentioned in the original text of the test occurred in the Google review strategy adjustment period, the text involved in the SDK for the earlier version, has been rarely used. In the future, we will work closely with domestic and foreign testing organizations to avoid such incidents from happening again.

We apologize for the distress caused by the developers and the media units.

Thank you again for the support of our company as always. We will continue to optimize the technology for the majority of developers to provide more quality services!

Re:List

Not a ideal solution. You might have data and whatnot on these apps.

Also, doing it automatically makes Google look like Microsoft and their Windows 10 updates. I guess it's just not good PR.

Doesn't matter

[volodymyrbiryuk]

Dumb ass users will complain that one of their favorite apps is gone and install it from 3rd party. And then complain that their phones are compromised.