Sunday, November 24, 2024
HomespywareChinese Advertising Android SDK Spying on Android Users by...

Chinese Advertising Android SDK Spying on Android Users by Downloading Malicious Plugins

Published on

Chinese advertising software development kit (SDK) called  Igexin has an ability to Spying on Victims via downloading malicious plugins that have more than 500 apps used this SDK in Google Play Store.

Advertising SDK such as Igexin helps for app developers to leverage advertising networks and deliver ads to customers.

Traditional malware infection functionality used to acts as a legitimate one then later it will perform its Malicious activities by Communicating with C&C Server.But This Spying activity is quite Different from Traditional Malware infection.

This Igexin spying activity controlled from Igexin-controlled server and app developers are not responsible for this Malicious activity, even more, they Don’t aware of this payload infection.

- Advertisement - SIEM as a Service

According to Lookout Report,  Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Infected Android Apps reported that around 50M-100M Downloads from game related apps,1M-5M downloads from Whether apps,500K-1M downloads from Internet radio apps,1M-5M downloads Photo editors apps etc.

Also Read    AccuWeather found Sending User Location Details Even if Location Sharing Turned Off

How Does Igexin Spying on Victims Mobile

Igexin providing a service to collecting data about the peoples and Their interest, income and their location to promoting advertising services based on the collected information.

Based on the observation and review, apps are communicating with certain IP and servers which are already severed for Malware.

App Downloading encrypted file from the following URL that is Register by one of the end point of Igexin ad SDK URL: http://sdk[.]open[.]phone[.]igexin.com/api.php.

Initially, legitimate app Download and Execute the code for evading the Detection, then later it will Download the Malware from the remote server to spying the Target.

Spying

Infected Android App in PlayStore

In this case, SDK Functionality Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at http://sdk.open.phone.igexin.com/api.php.

Here, API Response to the client, to download and run code in two encrypted JAR files and later SDK will decrypt the file using the API call key and finally saved it on the device.

Spying

Information of Encrypted JAR File

It Revealed that most the plugins have been call log exfiltration and the significant number of downloaded plugins register a PhoneStateListener by using the following condition.

  1. A setting stored in an internal SQLite database is enabled
  2. The app has “android.permission.READ_PHONE_STATE” permissions

PhoneStateListener Will finally save the information such as time of the call, calling number, The call state (idle, ringing, or off hook)

The app developer is ultimately responsible for disclosing in the app privacy policy all personal information the app collects. The developers also are responsible for vetting embedded third-party code and disclosing the data collection capabilities of all embedded third-party code in the privacy policy.  Lockout said.

Lockout has been reported to Google and later these infected apps were subsequently removed from the Play Store.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Spyware App Found Running on Multiple US Hotel Check-In Computers

A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems...

LightSpy Hackers Target Indian Apple Device Users To Steal Sensitive Data

Hackers target Apple device users because they are perceived to be of higher social...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....