Google killed secret plugin download capability after being alerted by researchers.

At least 500 apps collectively downloaded more than 100 million times from Google's official Play Market contained a secret backdoor that allowed developers to install a range of spyware at any time, researchers said Monday.

The apps contained a software development kit called Igexin, which makes it easier for apps to connect to ad networks and deliver ads that are targeted to the specific interests of end users. Once an app using a malicious version of Igexin was installed on a phone, the developer kit could update the app to include spyware at any time, with no warning. The most serious spyware installed on phones were packages that stole call histories, including the time a call was made, the number that placed the call, and whether the call went through. Other stolen data included GPS locations, lists of nearby Wi-Fi networks, and lists of installed apps.

In a blog post published Monday, researchers from mobile security company Lookout wrote:

It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality - nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.
The apps that contain the SDK included:

• Games targeted at teens (one with 50M-100M downloads)
• Weather apps (one with 1M-5M downloads)
• Internet radio (500K-1M downloads)
• Photo editors (1M-5M downloads)
• Educational, health and fitness, travel, emoji, home video camera apps

Not all of the 500 apps had installed one of the plugins silently delivered by Igexin, but the researchers said the developer kit could have caused any of the apps to download and install such plugins whenever the development kit operators wanted. The type of plugin that could be delivered was limited by the Android permission system. Additionally, not all versions of Igexin delivered the spying functions. Versions that did relied on a plugin framework that allowed devices to load arbitrary code, as directed by the response to requests the devices made periodically to a server located at http://sdk.open.phone.igexin.com/api.php.

In an e-mail, a Google spokesman said: "We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe."

Igexin officials didn't respond to an e-mail seeking comment for this post.