Mobile Ad Library a Big Threat

Monday, October 7, 2013 @ 06:10 PM gHale

There is a new mobile threat from a popular ad library that is included in popular apps on Google Play and has more than 200 million downloads in total, researchers said.

Mobile ad libraries are third-party software included by host apps in order to display ads. This library’s functionality and vulnerabilities could conduct large-scale attacks on millions of users, FireEye researchers dubbed it “Vulna” so as not to reveal its true identity.

Users Don’t Secure Android Devices
Attack Threat Continues to Increase
Mobile Security Education Feeble
Mobile Spam Risks on Rise

FireEye analyzed all Android apps with over one million downloads on Google Play, and found over 1.8 percent of these apps used Vulna. Users downloaded these affected apps more than 200 million times.

Ad libraries do present privacy risks such as collecting device identifiers and location information, Vulna presents far more severe security issues.

First, Vulna is aggressive — if instructed by its server, it will collect sensitive information such as text messages, phone call history, and contacts, the researches said. It also performs dangerous operations such as executing dynamically downloaded code.

Vulna also contains a number of diverse vulnerabilities. These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-factor authentication tokens sent via SMS, or turning the device into part of a botnet.

The following is a sample of the aggressive behaviors and vulnerabilities the FireEye researches discovered in Vulna:
Aggressive behaviors
• In addition to collecting information used for targeting and tracking such as device identifiers and location, as many ad libraries do, Vulna also collects the device owner’s email address and the list of apps installed on the device. Furthermore, Vulna has the ability to read text messages, phone call history, and contact list, and share this data publicly without any access control through a web service that it starts on the device.
• Vulna will download arbitrary code and execute it when instructed by the remote server.

• Vulna transfers user’s private information over HTTP in plain text, which is vulnerable to eavesdropping attacks.
• Vulna also uses unsecured HTTP for receiving commands and dynamically loaded code from its control server. An attacker can convert Vulna to a botnet by hijacking its HTTP traffic and serving malicious commands and code.
• Vulna uses Android’s WebView with JavaScript-to-Java bindings in an insecure way. An attacker can exploit this vulnerability and serve malicious JavaScript code to perform harmful operations on the device. This vulnerability is an instance of a common JavaScript binding vulnerability which has estimates saying it affects over 90 percent of Android devices.

Vulna’s aggressive behaviors and vulnerabilities expose Android users, especially enterprise users, to serious security threats. By exploiting Vulna’s aggressive behaviors, an attacker could download and execute arbitrary code on user’s device within Vulna’s host app. From the FireEye research, they found host apps containing Vulna have powerful permissions that allow controlling the camera; reading and/or writing SMS messages, phone call history, contacts, browser history and bookmarks; and creating icons on home screen.

An attacker could utilize these broad permissions to perform malicious actions. Attackers could:
• Steal two-factor authentication token sent via SMS
• View photos and other files on the SD card
• Install icons used for phishing attacks on the home screen
• Delete files and destroy data on demand
• Impersonate the owner and send forged text messages to business partners
• Delete incoming text messages without the user’s notice
• Place phone calls
• Use the camera to take photos without user’s notice
• Read bookmarks or change them to point to phishing sites.

There are quite a few ways an attacker could exploit Vulna’s vulnerabilities. One example is public WiFi hijacking: When the victim’s device connects to a public WiFi hotspot (such as at a coffee shop or an airport), an attacker nearby could eavesdrop on Vulna’s traffic and inject malicious commands and code.

Leave a Reply

You must be logged in to post a comment.