Unnamed Android Mobile Ad Library Poses Large-Scale Risk

An unnamed Android ad library can be abused to collect not only device data, but user activity on an Android device.

A popular Android mobile ad library available on Google Play can be used to collect device data or execute malicious code, security researchers have discovered.

The most alarming aspect to the library is that close to 2 percent of Android apps with more than 1 million downloads on Google Play use this particular library, and those apps have been downloaded more than 200 million times, researchers at FireEye said yesterday.

The researchers won’t disclose the name of the library, but said they have informed Google and the library’s vendor, both of whom are reportedly addressing the situation.

Mobile ad libraries enable apps to host advertisements; they generally collect IMEI and IMSI device identifiers. But this particular library, nicknamed Vulna by FireEye, is far more intrusive and capable of collecting text messages, contacts and call details, as well as having the capability to execute code.

“Vulna [also] contains a number of diverse vulnerabilities,” FireEye researchers said. “These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-­factor authentication tokens sent via SMS, or turning the device into part of a botnet.”

One of the vulnerabilities discovered by FireEye is the practice of transferring users’ private information in plain text over HTTP allowing an attacker to view it. It also uses HTTP for receiving orders from its command and control server. “An attacker can convert Vulna to a botnet by hijacking its HTTP traffic and serving malicious commands and code,” the researchers said.

There is also a Java weakness in the way it uses Android’s WebView that could allow an attacker to serve malicious javascript. All of these conditions, coupled with the permissions given to this ad library—such as control over the camera or access to SMS messages—could give an attacker a number of options to pull off phishing attacks, ring up premium call or SMS charges, or invade a user’s privacy by taking illicit pictures, stealing passwords or viewing browsing history.

The researchers said the library puts the user’s device at risk to a number of exploits, including man-in-the-middle attacks over public Wi-Fi hotspots or even DNS hijacking attacks, redirecting the device’s mobile browser to an attacker-controlled site.

Worse, the library’s activities are difficult to detect because the commands it receives from the C&C server use data encoded in the HTTP header fields rather than in the response body. Source code is obfuscated as well, the researchers said, adding that its behaviors are difficult to analyze.

“In one popular game, Vulna is executed only at certain points in the game, such as when a specific level is reached,” the researchers said, adding that any malicious behavior happens in the background away from the reach of the user.

FireEye cautions that malicious ad libraries such as Vulna are a growing threat, especially for enterprises that allow personal mobile devices to access network resources.

“[These] ad libraries are disturbingly aggressive at collecting users’ sensitive data and embedding capabilities to execute dangerous operations on demand, and they also contain different classes of vulnerabilities which allow attackers to utilize their aggressive behaviors to harm users,” FireEye said. “App developers using these third-party libraries are often not aware of the security issues in them.”

Image courtesy Tuono Touji

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.