File photo: Sameer Samat, vice president of product management, Android and Google Play, speaks on stage during the annual Google I/O developers conference in San Jose, California, U.S., May 17, 2017. (REUTERS/Stephen Lam)
More than 500 "invasive" Android apps have been updated or removed from Google Play after researchers discovered they could have been used to spy on users through a malicious advertising software development kit (SDK).
The ad SDK came from a Chinese company called Igexin, and "apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem," according to researchers with Lookout's Security Intelligence team, who alerted Google about it.
An app called LuckyCash and Meitu's SelfieCity were among the infected apps, but they no longer use the malicious Igexin ad SDK, Lookout said.
Developers of many of the affected apps were "likely… not aware of the personal information that could be exfiltrated from their customers' devices as a result of embedding Igexin's ad SDK," Lookout said.
Discovering these malicious qualities "required deep analysis of the apps' and ad SDK's behavior," they wrote. "Not only is the functionality not immediately obvious, it could be altered at any time on the remote server."
Lookout has not revealed the names of any other affected apps but said the list includes a popular game targeted at teens that received between 50 million to 100 million downloads; a weather app and photo-editing app, each with at least 1 million downloads; and an internet radio app with at least 500,000 downloads. The list also includes unnamed educational, health and fitness, travel, emoji, and home video camera apps.
"While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience," Lookout's Security Intelligence team wrote. They added that "it is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server."
Lookout researchers also recently identified more than 1,000 spyware-infested apps capable of recording audio and snooping on call logs, contacts, and more. The spyware in question, called SonicSpy, showed up in Google Play via three messaging apps: Hulk Messenger, Troy Chat, and Soniac, which have since been removed. The rest appeared on third-party Android app stores.
This article originally appeared on PCMag.com.
Get a daily look at what’s developing in science and technology throughout the world.