Attacks/Breaches
8/13/2013
11:33 AM
Connect Directly
RSS
E-Mail
50%
50%

Android Malware Being Delivered Via Ad Networks

Attackers are using mobile ad network software installed on smartphones to push malicious JavaScript and take control of devices.

Beware active attacks that are using mobile advertising networks to deliver malware that's able to fully compromise Android devices.

So warned researchers at next-generation firewall vendor Palo Alto, who said they've discovered a series of attacks that have been serving up malicious code by hacking into an ad network's software development kit (SDK). Developers add these SDKs to their Android apps to tie into mobile advertising networks and earn referral fees.

The malware recovered by Palo Alto compromises an Android's SMS capabilities, allowing attackers to send and receive SMS messages without the user's knowledge. Attackers have used that functionality to sign people up for premium SMS services that drain subscribers' accounts and enrich the service operators -- typically the attackers themselves or their business partners. The SMS communications channel also gives attackers basic command-and-control functionality, meaning they could use compromised devices as part of a bigger Android botnet.

[ Google Play can be a tough neighborhood. Read Google Play: Beware Android Adware Infestation. ]

The Android mobile ad network attacks are unusual because the majority of online attacks today either target browser vulnerabilities as a stepping stone to installing malware or rely on phishing attacks and tricking users into executing malicious attachments. But by targeting an ad-network SDK, hackers can enjoy direct access to the device. "That's kind of a built-in backdoor into the application, and when a mobile ad network starts serving bad content, it shifts to become a botnet that is suddenly serving malicious content," explained Wade Williamson, a senior security analyst at Palo Alto, speaking by phone. "But the difference is there's no exploit needed, no bait and switch needed, because you already have this hook built into the application."

The threat mirrors the use of ad networks to create browser-based botnets. That vulnerability was detailed earlier this month at the Black Hat information security conference in Las Vegas by WhiteHat Security CTO Jeremiah Grossman, and Matt Johansen, who manages the firm's threat research center. The pair demonstrated how a would-be attacker could create a fake online advertisement with malicious JavaScript embedded, which would allow them to connect hundreds or thousands of PCs at once to a targeted website, thus creating a denial of service.

But the threat discovered by Palo Alto differs in two significant ways: First, attackers don't need to place a fake advertisement. Instead, they can simply hack into an advertising network, and that's assuming it's not a network that they -- or their business partners -- don't already control. Second, Palo Alto's researchers weren't theorizing. To date, they've seen seven infections, all in Asia, that have resulted from hacking into mobile advertising networks. The company, which builds Android APK file security check software, said none of the malware it recovered was recognized as such by Android antivirus scanners.

The ad-network-delivered malware recovered by Palo Alto is stealthy and doesn't attempt to trick a user into installing it immediately. "The malware itself was smart enough so that once it was delivered through the ad network, it wouldn't pop up and say, 'User, do you want to install me?" said Williamson. "It would just sit there and run in current memory, and it could do that, because think of how rarely we do a hard reset on our phones."

How can attackers who inject malicious code directly into Android devices via ad-network SDKs be stopped? One approach would be to sandbox all Android (APK) files so they can't touch other apps or unapproved device functionality. Another remedy might be to have Google not only vouch for the health of an app, as it does when offering them via Google Play, but instead maintain health checks for any advertising networks that the app touches.

In other words, Google could provide an "approved ecosystem" seal, said Williamson. "The challenge, I think, is that almost no one who buys mobile apps understands how that app relies on the ad network for its financial security," he said. "So it's going to require some user education into why an approved ad network matters."

Unfortunately, not all mobile ad networks can be trusted. In April, for example, Marc Rogers, principal security researcher at Lookout Mobile Security, reported finding BadNews, which masquerades as an innocent, if somewhat aggressive advertising network, according to a blog he posted at the time. All told, Lookout found 32 different apps from four different developer accounts that included the BadNews SDK and were available for download from Google Play.

"This is one of the first times that we've seen a malicious distribution network clearly posing as an ad network," Rogers said at the time. "Because it's challenging to get malicious bad code into Google play, the authors of BadNews created a malicious advertising network as a front that would push malware out to infected devices at a later date in order to pass the app scrutiny."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DerekC632
50%
50%
DerekC632,
User Rank: Apprentice
8/13/2013 | 11:19:37 PM
re: Android Malware Being Delivered Via Ad Networks
This has been a problem for a while, but it's only getting talked about now. With a few exceptions, like Airpush, most ad networks take very few precautions to make sure theirs ads don't carry malware. Every ad network needs to take filtering very, very seriously. If not, this is going to start negatively effecting mobile advertising's future - http://www.examiner.com/articl...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.