The incident is the latest evidence that attackers are focusing more and more of their attention on mobile devices and the app stores that feed them.

The SDK in question is called Igexin and it’s used to connect apps to ad networks and provides certain functionality. It allows app developers to collect information on users and then leverage that to provide targeted ads. Researchers from Lookout Security, who focus on mobile security, were looking at traffic from apps that communicate with servers that are known to serve malware and noticed one specific app downloading encrypted files from an IP address that’s used by the Igexin SDK.

“This sort of traffic is often the result of malware that downloads and executes code after an initially ‘clean’ app is installed, in order to evade detection. The encrypted file downloads and the presence of calls within the com.igexin namespace to Android's dalvik.system.DexClassLoader (used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload,” Lookout researchers Adam Bauer and Christoph Hebeisen wrote.

The researchers said that the apps containing the Igexin SDK have been downloaded more than 100 million times, but emphasized that not all of them actually had malicious functionality enabled. Those that did, however, had the ability to exfiltrate information from the device, including extensive data about call logs. Bauer and Hebeisen said there’s a good chance that most of the developers who wrote the affected apps didn’t know about the behavior of the SDK.

“It is likely many app developers were not aware of the personal information that could be exfiltrated from their customers' devices as a result of embedding Igexin's ad SDK. It required deep analysis of the apps' and ad SDK's behavior by our researchers to make this discovery. Not only is the functionality not immediately obvious, it could be altered at any time on the remote server,” they said.

There have been any number of examples of attackers using clean apps as delivery mechanisms for malware. Google and Apple both have extensive systems in place to catch malicious apps before they get into their app stores, through vetting of developers, scanning of apps, and behavioral analysis. But once an app is on a device, it becomes more complicated, and attackers are taking advantage of that situation.

“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality - nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server,” Bauer and Hebeisen said.

That’s a shift in tactics from the attacker community, one that shows they’re paying attention to how Google and Apple are defending their app stores and devices. The vendors are continuing to improve their defenses, and that’s forcing the attackers to up their game, too.