Google has reportedly removed at least 500 apps from the Play Store, after a security firm exposed they all contained a problematic software development kit. It was the Igexin advertising SDK at fault, which had previously been suspected of spreading malware.
Security experts at Lookout first identified the problem. It noted 500 apps, which had been downloaded more than 100 million times, used the SDK; but not all versions could potentially deliver malware. Instead, the intrusive functions could have been downloaded and introduced at a later date, without the app developer or user’s knowledge. It’s speculated hackers were exploiting a security bug in the SDK to install malicious content at this time.
Lookout informed Google of the problems with the Igexin SDK, and the apps have been removed, or a revised version has been uploaded without the flawed SDK. For example, Lookout confirms that two apps which had security concerns, LuckyCash and SelfieCity, have been updated and no longer use the Igexin SDK. The apps covered various categories, ranging from weather apps to travel, radio, and games.
The technical details of the code, and Lookout’s investigation, can be found on the company’s website here.