500+ apps were found collecting data from Google Play devices using an undisclosed back door. The combined downloads of the 500+ apps are well over 100,000,000. Google responded quickly by removing the offending apps.
This isn't the first time apps were found collecting data using undocumented API or other hidden tricks. In fact, third party security organizations have stated a large amount of Google apps collect data in one form or another without proper permissions. Some of the apps stole call history and GPS locations.
It is believed most of the app developers were unaware of malicious data gathering, and it was the development kit published by lgenix that installed the spyware.
The company behind the popular anti-virus product Lookout for Android wrote on their blog:
It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality - nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server.
The apps that contain the SDK included:
Games targeted at teens (one with 50M-100M downloads)
Weather apps (one with 1M-5M downloads)
Internet radio (500K-1M downloads)
Photo editors (1M-5M downloads)
Educational, health and fitness, travel, emoji, home video camera apps