Chinese advertising software development kit (SDK) called  Igexin has an ability to Spying on Victims via downloading malicious plugins that have more than 500 apps used this SDK in Google Play Store.

Advertising SDK such as Igexin helps for app developers to leverage advertising networks and deliver ads to customers.

Traditional malware infection functionality used to acts as a legitimate one then later it will perform its Malicious activities by Communicating with C&C Server.But This Spying activity is quite Different from Traditional Malware infection.

This Igexin spying activity controlled from Igexin-controlled server and app developers are not responsible for this Malicious activity, even more, they Don’t aware of this payload infection.

According to Lookout Report,  Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Infected Android Apps reported that around 50M-100M Downloads from game related apps,1M-5M downloads from Whether apps,500K-1M downloads from Internet radio apps,1M-5M downloads Photo editors apps etc.

Also Read    AccuWeather found Sending User Location Details Even if Location Sharing Turned Off

How Does Igexin Spying on Victims Mobile

Igexin providing a service to collecting data about the peoples and Their interest, income and their location to promoting advertising services based on the collected information.

Based on the observation and review, apps are communicating with certain IP and servers which are already severed for Malware.

App Downloading encrypted file from the following URL that is Register by one of the end point of Igexin ad SDK URL: http://sdk[.]open[.]phone[.]

Initially, legitimate app Download and Execute the code for evading the Detection, then later it will Download the Malware from the remote server to spying the Target.


Infected Android App in PlayStore

In this case, SDK Functionality Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at

Here, API Response to the client, to download and run code in two encrypted JAR files and later SDK will decrypt the file using the API call key and finally saved it on the device.


Information of Encrypted JAR File

It Revealed that most the plugins have been call log exfiltration and the significant number of downloaded plugins register a PhoneStateListener by using the following condition.

  1. A setting stored in an internal SQLite database is enabled
  2. The app has “android.permission.READ_PHONE_STATE” permissions

PhoneStateListener Will finally save the information such as time of the call, calling number, The call state (idle, ringing, or off hook)


The app developer is ultimately responsible for disclosing in the app privacy policy all personal information the app collects. The developers also are responsible for vetting embedded third-party code and disclosing the data collection capabilities of all embedded third-party code in the privacy policy.  Lockout said.

Lockout has been reported to Google and later these infected apps were subsequently removed from the Play Store.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.



Please enter your comment!
Please enter your name here