%rssLink ()%> <%googleAnalytics ()%>
More than 500 Android apps utilized an advertising software package known as Igexin. There is ample evidence that this software contained code that collected phone data and uploaded it to the Igexin servers without the user's knowledge. It also allowed code from Igexin servers to be downloaded and executed on the phone. Some of the data collected contained call times and phone numbers. Although the intent behind Igexin's use of the call data is unconfirmed, it is clear that a vulnerability had been found and spyware was present on the devices. It is this invasion of privacy and code execution vulnerability that warranted Google's removal of the apps from the Play Store.
The story  originated from the reputable mobile security software developer Lookout.The intelligence team at Lookout analyzed the Igexin SDK (Software Development Kit) as part of a routine analysis of mobile apps that were previously suspected of communicating with malicious servers.
Upon further analysis of the SDK, it was discovered that the software was able to download code from the Igexin servers that would be executed by the app. Lookout observed code that would log and upload caller data to the remote Igexin servers. As a result, all apps that contained the SDK were pulled from the Google App Store due to a Terms of Service  violation. It was later found that not all apps used that particular version of the SDK and thus did not contain the spyware.
An in-depth analysis of the Igexin code by the Lookout research team1 revealed that the framework allowed the client to connect to the Igexin servers, download encrypted arbitrary code (scrambled computer code unrelated to the app), and then force the device to run the code (execute). It was observed that the code being executed contained a function called PhoneStateListener, which is a way for the app to gather call data. In this particular case, the call times, call state, and phone numbers were logged and uploaded to the Igexin servers (computers owned by the marketing agency that could store user information.)
Shortly after the Cyberscoop article  was published, Igexin representative Cathy Zhang reached out to Cyberscoop explaining that the PhoneStateListener was needed to analyze call state and times, to see how often calls were made on average, in order to optimize the connection. Zhang explained that the phone number was encrypted and used as an anonymous ID.
While it is understandable that call state can be used to optimize the connection based on call frequency, the use of the phone numbers raise suspicion. Lookout argued that the phone numbers were easily decrypted (unscrambled) and that other methods to create an anonymous ID could have been used. Which begs two questions; "Did Igexin have another reason for collecting the phone numbers?" and "Why did the Igexin code need a method to download remote code from Igexin servers to be executed?"
A study  by computer scientists at Stanford concluded that phone metadata, like what Igexin was collecting, could be used to identify very private information about the user. Ranging from which products they often shop for to even their own health conditions, all very sensitive and valuable data for a marketing agency to target its potential customers with.
 Bauer, Adam, and Christoph Hebeisen. "Igexin advertising network put user privacy at risk." August 21, 2017. https://blog.lookout.com/igexin-malicious-sdk.
 Google Inc. "Google APIs Terms of Service." Google Developers. December 5, 2014. https://developers.google.com/terms/.
 O'Neill, Patrick H. "Chinese ad platform secretly stole phone data from Android devices." Cyberscoop Technology. August 21, 2017. https://www.cyberscoop.com/igexin-android-data-lookout/
 Carey, Bjorn. "Stanford computer scientists show telephone metadata can reveal..." Stanford News. May 16, 2016. https://news.stanford.edu/2016/05/16/stanford-computer-scientists-show-telephone-metadata-can-reveal-surprisingly-sensitive-personal-information/.