Google has removed more than 500 Android apps from the Google Play Store marketplace after it was discovered advertising software used by the apps could be exploited and used to install spyware on handsets.

Putting users at risk was a software development kit (SDK) called Igexin. Developed by a Chinese company to perform targeted advertising services, the SDK was vulnerable to being used by attackers to sneak malware onto Android devices.

Igexin was first spotted by mobile security firm Lookout, which found the SDK active in more than 500 apps made available through Google’s official marketplace.

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

Lookout didn’t note the specific apps found to be using the vulnerable advertising software, but the firm did note it was found in a game targeted to teens with as many as 100 million downloads, a weather app and photo editing app with as many as five million downloads and internet radio app with one million users. Other affected apps included those in the category of education, health and fitness and travel.

The Igexin SDK was designed to developer advertisements to users of certain apps and generate revenue for the app maker. To do so, the service would also collect user data to help target advertising based on interests and browsing habits.

However, that’s not all Igexin was capable of doing. Unbeknownst to the creators of the SDK or the apps utilizing it, Igexin’s control server was compromised by attackers and used to deliver malware to devices.

Once the malicious payload is delivered to a device, an attacker can lift logs of user information from the device. Additionally, the attacker could remotely install other plugins to a compromised handset, including those that are able to record call logs and other potentially intimate or revealing information about user activity.

While it’s far from unheard of for a compromised SDK to make its way into the Google Play Store and allow a threat actor to compromise a user’s phone, Lookout noted the attack using Igexin is unique because those malicious SDKs are usually installed in apps created by the attackers themselves. In the case of Igexin, the app and SDK developers are not in control of or involved in the attack.

Because Igexin was such a common SDK and found in a number of extremely popular apps and services, it’s hard to say to what extent the vulnerability has been exploited. Lookout said users of its mobile antivirus software were safe from the attack, but others may not have been so lucky.

“While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience,” Lookout security engineers Adam Bauer and Christoph Hebeisen said in their report.

The threat caught by Lookout is just the latest instance of compromised apps being removed from the Google Play Store. While Google has taken a more aggressive approach to policing its app marketplace, the search giant has still been stuck fighting threat after threat that slip through.