<%rssLink ()%> <%googleAnalytics ()%>

Did Over 500 Android apps contain spyware?Updated automatically every 5 minutes

Other directories: help, engl1190, umw, lane, commons, open, adp, n490, hyp, mac, psu, cfcs

Did Over 500 Android apps contain spyware?


More than 500 Android apps utilized an advertising software package known as Igexin. There is ample evidence that this software contained code that collected phone data and uploaded it to the Igexin servers without the user's knowledge. It also allowed code from Igexin servers to be downloaded and executed on the phone. Some of the data collected contained call times and phone numbers. Although the intent behind Igexin's use of the call data is unconfirmed, it is clear that a vulnerability had been found and spyware was present on the devices. It is this invasion of privacy and code execution vulnerability that warranted Google's removal of the apps from the Play Store.

Origin and Prevalence

The story [1] originated from the reputable mobile security software developer Lookout.The intelligence team at Lookout analyzed the Igexin SDK (Software Development Kit) as part of a routine analysis of mobile apps that were previously suspected of communicating with malicious servers.

Upon further analysis of the SDK, it was discovered that the software was able to download code from the Igexin servers that would be executed by the app. Lookout observed code that would log and upload caller data to the remote Igexin servers. As a result, all apps that contained the SDK were pulled from the Google App Store due to a Terms of Service [2] violation. It was later found that not all apps used that particular version of the SDK and thus did not contain the spyware.

Issues and Analysis

An in-depth analysis of the Igexin code by the Lookout research team1 revealed that the framework allowed the client to connect to the Igexin servers, download encrypted arbitrary code (scrambled computer code unrelated to the app), and then force the device to run the code (execute). It was observed that the code being executed contained a function called PhoneStateListener, which is a way for the app to gather call data. In this particular case, the call times, call state, and phone numbers were logged and uploaded to the Igexin servers (computers owned by the marketing agency that could store user information.)

Shortly after the Cyberscoop article [3] was published, Igexin representative Cathy Zhang reached out to Cyberscoop explaining that the PhoneStateListener was needed to analyze call state and times, to see how often calls were made on average, in order to optimize the connection. Zhang explained that the phone number was encrypted and used as an anonymous ID.

While it is understandable that call state can be used to optimize the connection based on call frequency, the use of the phone numbers raise suspicion. Lookout argued that the phone numbers were easily decrypted (unscrambled) and that other methods to create an anonymous ID could have been used. Which begs two questions; "Did Igexin have another reason for collecting the phone numbers?" and "Why did the Igexin code need a method to download remote code from Igexin servers to be executed?"

A study [4] by computer scientists at Stanford concluded that phone metadata, like what Igexin was collecting, could be used to identify very private information about the user. Ranging from which products they often shop for to even their own health conditions, all very sensitive and valuable data for a marketing agency to target its potential customers with.


[1] Bauer, Adam, and Christoph Hebeisen. "Igexin advertising network put user privacy at risk." August 21, 2017. https://blog.lookout.com/igexin-malicious-sdk.

[2] Google Inc. "Google APIs Terms of Service." Google Developers. December 5, 2014. https://developers.google.com/terms/.

[3] O'Neill, Patrick H. "Chinese ad platform secretly stole phone data from Android devices." Cyberscoop Technology. August 21, 2017. https://www.cyberscoop.com/igexin-android-data-lookout/

[4] Carey, Bjorn. "Stanford computer scientists show telephone metadata can reveal..." Stanford News. May 16, 2016. https://news.stanford.edu/2016/05/16/stanford-computer-scientists-show-telephone-metadata-can-reveal-surprisingly-sensitive-personal-information/.

All Content released CC0 (Public Domain) by the Digital Polarization Initiative.

The Digital Polarization Initiative is a cross-institutional project that encourages students to investigate and verify the information they find online. Articles are student-produced, and should be checked for accuracy before citation as sources.

DigiPo members can edit this page

Photo Credit: Header photos generate in randomly. Check this page for a list of photography credits and licensing.

The Digital Polarization Initiative is a student-run project which allows university students to investigate questions of truth and authority on the web and publish their results. Learn more, or see our index. Photo credits here. DigiPo members can edit this page.