Mobile ad networks can provide a loophole to serve malware to Android devices, according to researchers from security firm Palo Alto Networks who have found new Android threats being distributed in this manner.
Most mobile developers embed advertising frameworks into their applications in order to generate revenue. Unlike ads displayed inside Web browsers, ads displayed within mobile apps are served by code that’s actually part of those applications.
The embedding of code for the advertising network into a mobile application itself ensures that ads get tracked and the developers get paid, but at the same time this third-party code represents a backdoor into the device, said Wade Williamson, senior security analyst at Palo Alto Networks, in a Monday blog post.
“If the mobile ad network turns malicious, then a completely benign application could begin bringing down malicious content to the device,” Williamson said. “What you have at that point is a ready-made botnet.”
There are precedents for this type of attack. In April, mobile security firm Lookout identified 32 apps hosted on Google Play that were using a rogue ad network later dubbed "BadNews." The apps were benign, but the malicious ad network was designed to push toll fraud malware targeting Russian-speaking users through those apps. The malware masqueraded as updates for other popular applications.
According to Williamson, researchers from Palo Alto Networks recently came across a similar attack in Asia that involved using a rogue ad network to push malicious code through other apps without being detected by mobile antivirus vendors.
The malicious payload pushed by the ad network runs quietly in the device memory and waits for users to initiate the installation of any other application, Williamson said. At that point, it prompts users to also install and grant permissions to the malware, appearing as if it’s part of the new application’s installation process, he said.
“This is a very elegant approach that doesn’t really require the end-user to do anything ‘wrong’,” the researcher said.
Once installed, the malware has the ability to intercept and hide received text messages, as well as to send text messages in order to sign up users for premium-rate mobile services, Palo Alto Networks said in a description of the attack sent via email.
A new approach
Such attacks are probably specific to certain geographic regions, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, Tuesday via email.
Botezatu expects the distribution of malware through mobile ad networks to become more common, especially in countries where mobile devices can’t access the official Google Play store or where users have difficulties in purchasing applications in a legitimate manner, causing most Android devices to be configured to accept APKs (Android application packages) from unknown sources.
That doesn’t mean that apps that deliver malware through ad networks can’t make it into Google Play, as the BadNews incident has shown.
Google Play checks APKs for malware before approving them, so getting an infected APK uploaded there can be very hard, Botezatu said. However, a malicious ad server could lay dormant until after the application is approved and then start delivering malware, he said.
Botezatu believes that users are more likely to fall victim to “malvertising”—malicious advertising—attacks launched through mobile apps than Web browsers. That’s because there have been many incidents of ad-based malware infections on computers and users are probably more careful about what they click on inside their browsers, he said.
Android users should make sure that their devices are not configured to allow the installation of apps from unknown sources and should run a mobile antivirus product, which might be able to detect malicious apps delivered through ad networks, he said.