DENVER—When developers build mobile apps, they’re not only coding functionality, but they’re also dragging in third-party software development kits (SDKs) for ads, analytics and lots of things in between.
A big function of SDKs is to communicate with a central server to receive instructions and content, but researchers have found that many of these servers have long been abandoned with a healthy number of those domains available for purchase on GoDaddy and other registrars.
This presents a giant opportunity for attackers to scoop up these domains on the cheap and push malicious code to suddenly vulnerable Android and iOS devices.
“Hundreds of these SDK companies were startups existing at one time, but many of these startups died and no one is maintaining this infrastructure. A large part of this infrastructure is unmaintained,” said Zhi Xu, who along with Palo Alto Networks researcher Tongbo Luo exposed this area of concern during a talk at the Virus Bulletin International Conference. “If unmaintained, the apps including these SDKs will try to talk to the master server for instructions and get no response. As domains expire, attackers can take over these domains and infrastructure, and send malicious instructions and content.”
The researchers published a paper called “Beware! Zombies Are Coming” that not only explains the risks, but also quantifies the numbers of abandoned zombie domains. Researchers looked at 2.8 million Android APK samples, Xu said, that used 575,000 unique root domains. Of those, 65,000 currently do not respond and are considered zombies, he said, adding that 33,000 were available on GoDaddy.
The researchers also studied the behaviors of legitimate and malicious clients and their use of predefined protocols in communicating with a master server. They learned that these share fairly similar behaviors, with both interested in services such as telephony mangers, location services, SMS, account managers and more.
“It just depends on who controls the master domains to decide whether they will be good or bad,” Xu said.
Once an attacker buys and controls a zombie domain, the researchers said, they can re-implement the original communication channel and gain the same privileges as the previous admin. Aggressive ad libraries for example, can start to collect location information, in addition to device data such as device type and IMSI information in order to correctly serve ads and content to the phone. An attacker could also automatically push malicious apps and code to phones via this channel. They could also enable JavaScript within Webview, used to load ads, which in this case could be used to load phishing ads or carry out remote code execution.
Researcher Luo also cautioned that domains that control HTML5 mobile apps are potentially more dangerous because they support the injection and execution of JavaScript programs through the channel, or by exploiting middleware such as PhoneGap, RhoMobile and others that support richer web content. Luo cautioned that PhoneGap, for example, installs plugins that support file and file transfers, email and SMS interfaces, the capability to execute code via shell commands and a LaunchMyApp feature.
The researchers explained that one such app called RogueSports, which is still available in Google Play and the App Store and via Windows Phone marketplaces, hasn’t been updated since 2014 and can be had for $12 on GoDaddy. Attackers can inject malicious code written in JavaScript that will execute on the device that will allow an attacker to embed iframes, steal credentials and other data or launch malware.
“It’s important to understand that a legitimate SDK command and control infrastructure can be dangerous,” Xu said. “Before you give a verdict to an app, consider all of its components, including the SDK, in malware detection, especially if the C&C is unmanaged.”