Thursday, March 28, 2024

Chinese Advertising Android SDK Spying on Android Users by Downloading Malicious Plugins

Chinese advertising software development kit (SDK) called  Igexin has an ability to Spying on Victims via downloading malicious plugins that have more than 500 apps used this SDK in Google Play Store.

Advertising SDK such as Igexin helps for app developers to leverage advertising networks and deliver ads to customers.

Traditional malware infection functionality used to acts as a legitimate one then later it will perform its Malicious activities by Communicating with C&C Server.But This Spying activity is quite Different from Traditional Malware infection.

This Igexin spying activity controlled from Igexin-controlled server and app developers are not responsible for this Malicious activity, even more, they Don’t aware of this payload infection.

According to Lookout Report,  Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Infected Android Apps reported that around 50M-100M Downloads from game related apps,1M-5M downloads from Whether apps,500K-1M downloads from Internet radio apps,1M-5M downloads Photo editors apps etc.

Also Read    AccuWeather found Sending User Location Details Even if Location Sharing Turned Off

How Does Igexin Spying on Victims Mobile

Igexin providing a service to collecting data about the peoples and Their interest, income and their location to promoting advertising services based on the collected information.

Based on the observation and review, apps are communicating with certain IP and servers which are already severed for Malware.

App Downloading encrypted file from the following URL that is Register by one of the end point of Igexin ad SDK URL: http://sdk[.]open[.]phone[.]igexin.com/api.php.

Initially, legitimate app Download and Execute the code for evading the Detection, then later it will Download the Malware from the remote server to spying the Target.

Spying

Infected Android App in PlayStore

In this case, SDK Functionality Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at http://sdk.open.phone.igexin.com/api.php.

Here, API Response to the client, to download and run code in two encrypted JAR files and later SDK will decrypt the file using the API call key and finally saved it on the device.

Spying

Information of Encrypted JAR File

It Revealed that most the plugins have been call log exfiltration and the significant number of downloaded plugins register a PhoneStateListener by using the following condition.

  1. A setting stored in an internal SQLite database is enabled
  2. The app has “android.permission.READ_PHONE_STATE” permissions

PhoneStateListener Will finally save the information such as time of the call, calling number, The call state (idle, ringing, or off hook)

The app developer is ultimately responsible for disclosing in the app privacy policy all personal information the app collects. The developers also are responsible for vetting embedded third-party code and disclosing the data collection capabilities of all embedded third-party code in the privacy policy.  Lockout said.

Lockout has been reported to Google and later these infected apps were subsequently removed from the Play Store.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles