Hundreds of Android Apps Harbored Spyware — And Even Google Didn't Know

Google Holds Press Event Announcing New Products
An attendee inspects the new Nexus 5X phone during a Google media event on Sept. 29, 2015 in San Francisco.Justin Sullivan / Getty Images file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By Alyssa Newcomb

Hundreds of seemingly harmless free Android apps — many aimed at teens — hid a dirty little secret that even the app makers weren't aware of.

A code glitch in lgexin, a popular framework that app makers use to target advertisements at free users, could have left as many as 100 million people vulnerable to spyware, according to research from security firm Lookout.

"It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server," said a blog post from the company.

An attendee inspects the new Nexus 5X phone during a Google media event on Sept. 29, 2015 in San Francisco.Justin Sullivan / Getty Images file

Lookout did not say which apps were affected and instead broke them down by category. The vast majority of downloads, an estimated 50 million to 100 million, came from games targeted to teens, according to the report.

Other areas included weather apps, photo editors, internet radio, education, health, emoji, and camera downloads. The apps have since been updated or removed from the Google Play store, according to Lookout.

Once the bad guys have access to your phone, the glitch in the lgexin code could have allowed them to download malicious code from a third-party server onto your phone. The most "serious behavior" Lookout observed was the ability for cyber thieves to steal your phone records.

"Android devices are inherently more susceptible to malicious software," said Robert Siciliano, CEO of But Google has continued to work to stay ahead of hackers.

Related: A Wi-Fi Hopping Worm Targeting Smartphones

Google told NBC News, “We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe.”

The tech giant recently beefed up Android security with Google Play Protect, a security program that checks apps before you download them and periodically scans your device to help flag any potentially malicious apps.

"Unless the consumer has a background in forensics investigations and the necessary tools to determine if their device has spyware on it, they will be at a disadvantage and will not be able to detect malicious applications on their device," Siciliano said.

Even still, you'll want to always exercise caution when downloading apps. It's always a good practice to update your apps when prompted, since developers are always patching potential bugs.

Another flag is to review the description that comes along with the app. If it's peppered with misspellings and syntax errors, it's likely not a good bet.

And of course — downloading some sort of antivirus protection on your smartphone, the same way you would on your computer, will also help keep you safe.