Play It Safe: Google Pulls Android Apps Tied To Dangerous Ad Platform


Some Google Android developers were forced to update their popular applications or face removal following the discovery that they tied their apps to an aggressive mobile advertising platform riddled with vulnerabilities.

The discovery was prompted by a FireEye study that uncovered an aggressive advertising platform that could have been used to steal user text messages, phone call history, and contacts on command. The platform also contained weaknesses that cybercriminals could leverage to turn the device into a mobile botnet or use its camera to take pictures and steal two-factor authentication tokens sent via text message.

FireEye researchers discovered the serious flaws and aggressive nature of the advertising platform following a review of potential threats posed by Android mobile applications with more than 1 million downloads. The firm didn't name the advertising network, but said the flaw-riddled platform it calls "Ad Vulna" was updated this week.

The security firm said it estimates that affected apps were downloaded more than 200 million times in total, underscoring the severity of the threat. By the very nature of the way ad networks are coded into mobile apps on Android devices, they are given the same permissions as the mobile app, enabling an attacker to take advantage of the device's capabilities.

[Related: Top 5 Android Malware Threats]

"Vulna's aggressive behaviors and vulnerabilities expose Android users, especially enterprise users, to serious security threats," the FireEye researchers said. "By exploiting Vulna's aggressive behaviors, an attacker could download and execute arbitrary code on a user's device within Vulna's host app."

FireEye, Milpitas, Calif., released the findings of its study Oct. 4, indicating that it informed both the advertising platform and Google of its findings. In an update issued Tuesday, an app called "Mr. Number Blocker" simply removed the aggressive advertising platform. Other apps, including a popular title developed by Itch Mania called "What's The Word," were removed by Google, according to FireEye.

FireEye said the two apps were downloaded more than 26 million times, and many of those who downloaded may still be at risk.

"Unfortunately, many users do not update their downloaded apps often and older versions of Android [do] not auto-update apps, so millions of users of these apps will remain vulnerable until they update to the latest version of the apps," FireEye said.

Google did not respond to a CRN request for comment in time for this story.

Threats against mobile devices have mainly focused on the steady rise in Android malware. But some security experts have been warning about aggressive and unchecked mobile advertising networks. Android developers can choose from dozens of advertising networks for their mobile apps. AdMob is the most popular platform, according to search and ranking repository service AppBrain. Developers link to the network by leveraging its ad library. Ad networks gain the same permissions as the mobile app on the Android platform.

A study by researchers at the University of California Davis last year found that mobile ad code is not subject to the same level of privilege separation as it is in mobile browsers. The study, "Investigating User Privacy in Android Ad Libraries," (.PDF) found the insecure use of Android's JavaScript extension mechanism in several ad libraries The research team said the weaknesses enabled users to be tracked by a network sniffer across ad providers and by an ad provider across applications.

"The current situation does not provide adequate measures to protect users from unscrupulous ad libraries," the researchers said.

The study concluded that third-party code should not execute with the same privileges and should not be allowed to access application-specific data nor phone user data unless specifically allowed by the user.

PUBLISHED OCT. 22, 2013