More than 500 apps available on the Play Store, which have been downloaded a combined amount of over 100m times across Android, may have downloaded spyware to users through a malicious advertising SDK (software development kit) that the apps used.

The Igexin ad SDK, discovered by mobile security company Lookout, was found in games that target teens, weather, internet radio, photo editors, educational, health and fitness, travel, emoji, and home video camera apps. One of the games that contained the SDK had between 50m and 100m downloads, while one weather app and photo editor app had between 1m and 5m a piece with one internet radio app sitting at 500k to 1m downloads. Two of these popular apps include LuckyCash, with 1m downloads, and SelfieCity, which sits at 5m downloads.

Lookout notified Google of about the malicious SDK and the tech giant has since removed the apps from the Play Store, or replaced them with update versions that removes the SDK.

Igexin claims that its targeted advertising services leverage data collected about people such as their interests, occupation, income, and location. But, of course, this was discovered to be untrue by Lookout, though app developers would have also been unaware, thinking they were getting a traditional advertising SDK that leverages networks and delivers ads to users.

Lookout also notes that not all versions of Igexin, which is of Chinese origin, deliver malicious functionality. Only those that implement a specific plugin framework are capable of spying on users.