It seems that, especially in the case of Google Play, there have been an increasing number of incidents where official app stores fail to detect malicious activity. In my own reporting, I’ve seen a massive uptick in Google Play Store spyware or other malicious apps getting the green light, receiving millions of downloads, only to then have security researchers alert Google to these apps getting compromised. It is becoming more and more difficult for the company to keep up with these incidents as the most recent app purge proves.
In an August 21 report, researchers at Lookout detailed an advertising software development kit (SDK) that left over 500 apps on Google Play open to malicious plugins. The plugins specifically allowed for threat actors to spy on unknowing victims who downloaded apps that were truly safe otherwise. The SDK, named Ignexin, was a tricky threat to identify as not all instances of its presence included the malicious spying capabilities.
What makes this Igexin app infection different from other instances of Google Play Store spyware incidents is the lack of involvement from the app developers. Unlike many of these mass infections we have seen in the past, the apps with Igexin had no link, either in creation or downloading, with the SDK. As Lookout’s report states:
The invasive activity initiates from an Igexin-controlled server... many app developers were not aware of the personal information that could be exfiltrated from their customers’ devices as a result of embedding Igexin’s ad SDK ... Not only is the functionality not immediately obvious, it could be altered at any time on the remote server.
As was mentioned earlier in the article, upon receiving the alert from Lookout, Google proceeded to take action and eliminate all applications containing the Ignexin SDK. One has to wonder if Google is doing enough to monitor their applications following their initial vetting. It’s all well and good to prevent malicious applications from entering the Play Store, but what about the applications that don’t become malicious until later?
In an article reporting on this incident, Kaspersky Lab’s Threatpost pointed out how “Google said it analyzes aspects of the developer’s business, customer feedback, software code and application behavior,” which results in a situation where “apps and developers that have a high probability of bad behavior are red flagged and human analysis can confirm if there is a security problem.”
This is all well good, but it doesn’t seem to be enough. Where would Google be without security firms alerting them to these issues? People place their trust in Google Play Store because it is the safest place to download Android apps. If Google doesn’t catch up to this new style of attack where apps get infected post-upload, they may find themselves with a major crisis soon.
Photo credit: Wikimedia