A Closer Look at Spyware Apps Distributed by Google

Phone apps and SDK’s

Software Developer kits (SDKs) are used to help developers quickly code their apps with advertising in mind. This way, they can receive advertising payments from their apps. Until recently, Google didn’t allow any changes to SDKs once they were checked into the play store. Enter Chinese SDK creator Lgexin.

Sneaky Lgexin SDK

Lgexin is responsible for more than 500 android apps in the Google Play store being corrupted. Previously they were not able to alter their SDK once it went to market, due to Google’s strict guidelines around SDK implementation. Their workaround for this was to get approval from the dev owner in order to make some small updates to the SDK package and re-submit it into the Google Play store. These small changes were masked and encrypted to try and hide the phone call tracing functionality that was being inserted.

What is the threat?

Lgexin could do whatever they like with the call data they would receive from users of their SDK applications. This call data could be sold to other companies for telemetry purposes or even to the government for global call tracking. Some of the apps include weather apps, teen related games, photo editors, radio and even some fitness apps. With over 100 million downloads of just one of these apps, Lgexin put a lot of people’s privacy and data at risk.

One of the most downloaded apps was called “Lucky Cash- Earn Free Money”, which would prompt the user with a fake google prompt to allow full access to the phone’s call functionality. Millions of users could have unknowingly granted this access. The plugin is called a “phonestatelistener” and can capture the time of the call, the state of the call and the calling number. The data is then sent encrypted to Lgexin’s API for purposes which remain unknown.

What can I do?

From a user perspective, whenever downloading an app from the app store, you should be prompted with any and all permissions that the application will need from your phone in order to operate. This is where common sense needs to come in. First, do you even need or want the app? Do the permissions requested seem reasonable for the app? i.e. does this calculator app really need access to your contact list or pictures? Once you download an app, you shouldn’t be prompted by the play store via pop up for additional permissions. Lastly, be sure to review your apps on occasion and uninstall any that you are no longer using.

Even following the suggestions above is no guarantee. Lgexin has put trusted downloads in a new light and serves as a reminder that you can no longer trust an app based primarily on the number of downloads it has.

Rotten to the Core – Thousands of Apps in Apple’s Store Infected

A multitude of apps in Apple’s Chinese App Store contained a form of malware that recently bypassed Apple’s code screening process. Researchers at FireEye have found approximately 4,000 apps to be infected with the XcodeGhost malware, affecting hundreds of millions iOS users worldwide. Once downloaded, these malicious applications have the potential to obtain and utilize device and user information, though Apple has saidthey’ve found nothing to suggest any malicious activity as of yet.

Xcode is an integrated development environment (IDE) which contains a suite of software development tools generated by Apple for the development of software for OS X and platforms. XcodeGhost is the malware found in unofficial versions of Xcode downloaded by Chinese rottenappledevelopers. It has the capability to modify Xcode and infects iOS applications. WeChat and Angry Birds 2 are just a couple of examples of popular infected applications that are now being updated in the App Store with malware free versions, while many other iOS applications identified as being infected with XcodeGhost are temporarily unavailable. In conjunction with this, Apple has sent email notifications to affected developers, thus instructing them to recompile their products by official Xcode, and to re-submit accordingly in order to prevent future breaches. Is it too late however? Has the damage been done?

Some are labelling this incident as a “first of its kind security breach” exposing a vulnerability and security gap in Apple’s mobile platform, which was once conceptualized as being the most secure of its kind. It is important to note that there was a failure to identify this malware prior to it infiltrating Apple and its users. How did this happen and how may this have been prevented? With modern day tools and technologies in place to protect against such occurrences, how will organizations such as Apple move forward in addressing this security gap?

What one can deduce from this incident is that, contrary to popular belief, Apple is not in fact more safe and secure than PC/Android. Does this incident mean reduced credibility and competitive advantage for Apple within the market? I suppose that is something yet to be determined. What we do know for certain, however, is that there is a security gap which is very much in existence today. Users, unfortunately, are not as aware as they should be when downloading files and applications, especially when the applications in question are being hosted by a “trustworthy” source such as the App Store.