An advertising software development kit (SDK) called Igexin, which can spy on users through otherwise benign apps by downloading malicious plugins, was found in around 500 Google Play apps by security company Lookout.
Lookout informed Google of the functionality and the apps were removed or updated.
These apps were downloaded over 100 million times, although not all are confirmed to have downloaded the malicious spying capability.
According to The Register, user activity was fed back to a Chinese company, based on the fact the igexin.com domain registrar is a Beijing-based business named Xin Net Technology Corporation.
“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time downloading malicious code from a remote server,” explained Christoph Hebeisen, engineer manager, security R&R at Lookout.
Igexin was described as “somewhat unique” because the developers themselves are not creating the malicious functionality, nor are they in control or even aware of it because the activity comes from an Igexin-controlled server.
The apps containing the SDK included games targeted at teens, one of which clocked up between 50 million and 100 million downloads, along with weather, internet radio, photo editors, education, health and fitness, travel and emojis.
Typically, mobile apps use advertising SDKs to make it easy for developers to leverage advertising networks and deliver ads to customers.
In late July, Google said it found 20 Lipizzan spyware apps on the Play Store “distributed in a targeted fashion to fewer than 100 devices”, and blocked the apps as well as their developers from the Android ecosystem.