Friday, December 8, 2023

Chinese Advertising Android SDK Spying on Android Users by Downloading Malicious Plugins

Chinese advertising software development kit (SDK) called  Igexin has an ability to Spying on Victims via downloading malicious plugins that have more than 500 apps used this SDK in Google Play Store.

Advertising SDK such as Igexin helps for app developers to leverage advertising networks and deliver ads to customers.

Traditional malware infection functionality used to acts as a legitimate one then later it will perform its Malicious activities by Communicating with C&C Server.But This Spying activity is quite Different from Traditional Malware infection.

This Igexin spying activity controlled from Igexin-controlled server and app developers are not responsible for this Malicious activity, even more, they Don’t aware of this payload infection.

According to Lookout Report,  Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Infected Android Apps reported that around 50M-100M Downloads from game related apps,1M-5M downloads from Whether apps,500K-1M downloads from Internet radio apps,1M-5M downloads Photo editors apps etc.

Also Read    AccuWeather found Sending User Location Details Even if Location Sharing Turned Off

How Does Igexin Spying on Victims Mobile

Igexin providing a service to collecting data about the peoples and Their interest, income and their location to promoting advertising services based on the collected information.

Based on the observation and review, apps are communicating with certain IP and servers which are already severed for Malware.

App Downloading encrypted file from the following URL that is Register by one of the end point of Igexin ad SDK URL: http://sdk[.]open[.]phone[.]

Initially, legitimate app Download and Execute the code for evading the Detection, then later it will Download the Malware from the remote server to spying the Target.


Infected Android App in PlayStore

In this case, SDK Functionality Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at

Here, API Response to the client, to download and run code in two encrypted JAR files and later SDK will decrypt the file using the API call key and finally saved it on the device.


Information of Encrypted JAR File

It Revealed that most the plugins have been call log exfiltration and the significant number of downloaded plugins register a PhoneStateListener by using the following condition.

  1. A setting stored in an internal SQLite database is enabled
  2. The app has “android.permission.READ_PHONE_STATE” permissions

PhoneStateListener Will finally save the information such as time of the call, calling number, The call state (idle, ringing, or off hook)

The app developer is ultimately responsible for disclosing in the app privacy policy all personal information the app collects. The developers also are responsible for vetting embedded third-party code and disclosing the data collection capabilities of all embedded third-party code in the privacy policy.  Lockout said.

Lockout has been reported to Google and later these infected apps were subsequently removed from the Play Store.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles