Tuesday, May 28, 2024

Chinese Advertising Android SDK Spying on Android Users by Downloading Malicious Plugins

Chinese advertising software development kit (SDK) called  Igexin has an ability to Spying on Victims via downloading malicious plugins that have more than 500 apps used this SDK in Google Play Store.

Advertising SDK such as Igexin helps for app developers to leverage advertising networks and deliver ads to customers.

Traditional malware infection functionality used to acts as a legitimate one then later it will perform its Malicious activities by Communicating with C&C Server.But This Spying activity is quite Different from Traditional Malware infection.

This Igexin spying activity controlled from Igexin-controlled server and app developers are not responsible for this Malicious activity, even more, they Don’t aware of this payload infection.

According to Lookout Report,  Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Infected Android Apps reported that around 50M-100M Downloads from game related apps,1M-5M downloads from Whether apps,500K-1M downloads from Internet radio apps,1M-5M downloads Photo editors apps etc.

Also Read    AccuWeather found Sending User Location Details Even if Location Sharing Turned Off

How Does Igexin Spying on Victims Mobile

Igexin providing a service to collecting data about the peoples and Their interest, income and their location to promoting advertising services based on the collected information.

Based on the observation and review, apps are communicating with certain IP and servers which are already severed for Malware.

App Downloading encrypted file from the following URL that is Register by one of the end point of Igexin ad SDK URL: http://sdk[.]open[.]phone[.]igexin.com/api.php.

Initially, legitimate app Download and Execute the code for evading the Detection, then later it will Download the Malware from the remote server to spying the Target.


Infected Android App in PlayStore

In this case, SDK Functionality Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at http://sdk.open.phone.igexin.com/api.php.

Here, API Response to the client, to download and run code in two encrypted JAR files and later SDK will decrypt the file using the API call key and finally saved it on the device.


Information of Encrypted JAR File

It Revealed that most the plugins have been call log exfiltration and the significant number of downloaded plugins register a PhoneStateListener by using the following condition.

  1. A setting stored in an internal SQLite database is enabled
  2. The app has “android.permission.READ_PHONE_STATE” permissions

PhoneStateListener Will finally save the information such as time of the call, calling number, The call state (idle, ringing, or off hook)

The app developer is ultimately responsible for disclosing in the app privacy policy all personal information the app collects. The developers also are responsible for vetting embedded third-party code and disclosing the data collection capabilities of all embedded third-party code in the privacy policy.  Lockout said.

Lockout has been reported to Google and later these infected apps were subsequently removed from the Play Store.


Latest articles

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.The...

DDNS Service In Fortinet Or QNAP Embedded Devices Exposes Sensitive Data, Researchers Warn

Hackers employ DNS for various purposes like redirecting traffic to enable man-in-the-middle attacks, infecting...

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles