An Android ad library containing a maliciously potent cocktail of features and vulnerabilities is less of a danger to Android users today after Google and the ad network made a series of changes spurred by security firm FireEye’s insistence.
Despite fixes from the ad network, updates implemented by the application developers, and removal of apps and revocations of developer accounts by Google, there are still some 166 million application downloads affected by the bad adware, according to a report.
Earlier this month, FireEye published a blog post claiming that there was an ad library in a number of Android applications totaling more than 200 million total downloads that boasted a number of over-reaching features and a long list of concerning vulnerabilities. Due to the scope of the problem, FireEye opted not to publicly out the particular network, instead giving it the codename “Vulna” and sending its findings to Google, the responsible advertising library, and the developers of affected applications.
Developers build ad libraries like this one into their apps as a way of generating revenue.
FireEye tried its hand at phrase-coining, calling the threat posed by the cryptically codenamed ad library “vulnagressive.” A melding of the words vulnerable, because the library contained a number of vulnerabilities, and aggressive, because of the list of functions built into it.
FireEye considered the unnamed ad network aggressive because its ads could pull sensitive information such as call history, the contents of text messages, contact lists, and from devices on which apps using the ad library are installed. Worse yet, the ad library had the capacity to download and execute arbitrary code from its remote server.
As if Vulna’s intentional features weren’t cause enough for concern, it also contains a series of vulnerabilities. For one, the ad network relays all the information it collects back to its control server in plain-text over HTTP, potentially exposing that data to eavesdroppers. In the same vein, the ad network also receives commands from its server via HTTP, giving an attacker the ability to hijack Vulna’s HTTP traffic and serve malicious commands and code. Vulna also uses Android’s WebView development tool with an insecure implementation of JavaScript-to-Java bindings, leaving users vulnerable to attacks deploying malicious JavaScript, according to the report.
Together, the vulnerabilities and aggressive behaviors expose affected users to a deluge of troubles. A knowledgeable attacker could steal two-factor authentication codes sent via SMS, access files, install malicious icons on the home screen, delete files and data, send texts on behalf of the owner, delete incoming messages, place phone calls, secretly take photos, and change bookmarks so they point to malicious sites.
Vulnerabilities and aggressive behaviors aside, Vulna receives commands from its ad server using data encoded in HTTP header fields rather than the HTTP response body. It is also difficult to analyze because it’s source code is obfuscated and its ads act erratically, making its behaviors hard to reliably trigger and analyze.