Very recently, Google had to pull more than 500 apps from its Android Google Play store. The apps that were pulled were collectively downloaded more than 100 million times by affected victims. These apps all had one reason in common for why they had to be pulled, they all had integrated a malicious advertising software development kit (SDK) called lgexin into their software. This malicious SDK is actually spyware which has code for data theft built in. When Google realized the scale of the problem, they acted swiftly to remove any compromised apps. These apps included games, fitness, educational, travel, keyboards, and many more app types. The malicious activity was detected by security firm Lookout, and details have been posted on their blog.

Malware developers have become very clever overtime and for sometime were publishing apps on to app stores. These were attempts to appear legitimate; however, the mask of legitimacy that hackers wear seems to have changed. Igexin sets a new standard because malicious actors created an advertising network that integrated with numerous apps, which has led to over 100 million compromised users possibly. This approach makes Igexin a significant threat and turning point in terms of mobile malware.

Igexin presented itself as an ad network and promoted itself as a solution for advertising services seeking to leverage user data for more targeted advertisements. The endpoint and SDK of Igexin was generating a lot of suspicious activity which prompted Lookout researchers to explore further. The traffic patterns identified resembled the same ones common with other malware deployments. App developers who used the SDK would have been in the dark about the Igexin’s malicious nature.

The basic data that Igexin promotes on their website which they collect include user interests, occupation, income, and location. This type of data is common for advertisers to collect in order to make relevant creative decisions. However, in the hands of a malicious actor this data could provide enough information about a user to turn them into a significant insider threat to their employers. This is only the beginning of its capabilities.

Igexin has a very dangerous feature that went undetected for a while. That feature is called log exfiltration which allowed hackers to get away with far more user data than they were ever granted permission for. Such information then can either be used by the hackers or sold on the darknet.

Companies should be very concerned about mobile security of their employees devices. This is especially true if their mobile device is used for any work related activities. Igexin reveals another gateway to turn an insider’s everyday activities on their device into a real threat for your organization. In this situation, an insider may have login to their email through their mobile device or a third party business system. With their credentials, hackers can login as well to steal sensitive data from your network. If you’re a small business, the hacker may even use your business as a platform of attack, like what happened in the case of Target and their HVAC supplier.

This large scale attack is a critical reminder of why cyber security is important on all devices connected to the web. If your employees or yourself use a mobile device to do work in any way, then you may be at risk to an insider incident. It helps to have a security solution that can detect malicious behavior and work to either prevent or mitigate the breach before it gets out of hand.