Official storefronts that sell apps — Google Play and Apple’s App Store — do their best to make sure everything they’re distributing to you isn’t going to wreck your phone or steal your data. But one vulnerability in code used in hundreds of Android apps has allowed malicious actors to change what your app does after you download and install it, and the problem has affected millions.
The mobile security firm Lookout announced its discovery in a blog post this week.
The problem apps had significant spread: The bad code was in more than 500 total apps, that cumulitively had more than 100 million downloads. Lookout did not name most of the apps, but at least one, a “game targeted at teens,” had between 50 and 100 million downloads itself.
Where did the code come from?
Software development is like any other kind of complicated product: Not every company reinvents the whole wheel for itself.
Think of cars: Honda, Ford, and Toyota each make some parts themselves, sure, but they outsource things like airbags and tires to third parties that specialize in those products, and distribute them to many companies. So, too, with code.
Software development kits — SDKs — are basically little bundles of pre-written, pre-packaged code you can drop into your product to do something for you so that you don’t have to reinvent it from scratch. Basically every app out there, from the smallest mobile app to the biggest blockbuster video game, licenses and uses some SDKs to build the final product.
That’s all well and good, as long as the SDK is legitimate and not compromised. But this particular SDK, Igexin, appears not to have met that standard.
How does it work?
The Igexin SDK is used to serve up targeted advertising to people using free apps. So far, so good; that’s a common, if annoying, function.
But the researchers at Lookout noticed an unusual traffic pattern coming from apps using the Igexin SDK. The pattern was consistent with behavior the researchers had typically seen when “clean” apps surreptitiously install some kind of malware after the fact, to avoid detection up front.
That made Lookout researchers look more closely, where they found that the malicious versions of the Igexin SDK allowed third parties to remotely load new code onto a user’s device to do, basically, anything.
The most serious vulnerability Lookout actually observed from any of the apps using the malicious version of the SDK is “call log exfiltration.” Or, in plain words, your phone records: The numbers that call you or that you call, when, and if the call connects or not.
What should I do about it?
Lookout informed Google of its findings before publishing the public breakdown, and compromised apps were either removed from the Google Play store or were replaced with updated versions that had the problem code removed. So first things first: Make sure you update any apps on your phone when you’re prompted to.
Beyond that, however, watching out for app safety can be challenging.
First and foremost, read app descriptions carefully and use good judgement when you’re downloading them. Many are questionable ventures from fly-by-night outfits, and those are comparatively easy to spot.
As the Igexin issue demonstrates, though, that’s not foolproof; even a popular app, reputable enough to rack up more than 50 million downloads, can be vulnerable when third-party code is at fault.
A third party security suite or anti-malware program can help protect your phone from this kind of vulnerability, the same way it can for your computer (and many mobile security programs are from the same companies that make them for your desktop or laptop).
The Lookout researchers, of course, recommend Lookout products in their post but there are plenty of other options, too. Our colleagues down the hall at Consumer Reports have some recommendations.
Editor's Note: This article originally appeared on Consumerist.