In most cases, the “free” Android applications you download from Google’s Play store aren’t free at all. These developers aren’t just developing apps for you out of the kindness of their collective hearts. Like most online services that don’t ask for the traditional up-front payment, the mobile application profit-model relies on advertising and in-app purchases. Kaspersky Lab Mobile expert Brian Donohue explores the android app ecosystem .
During the development process, whoever is building an application will often choose some third party ad library and bundle it into their app. Once an app is live in the Google Play store and starts getting downloaded by Android users, that third-party company is responsible for serving ads and paying the application’s developer.
Neither the developer nor the user have any control over what this ad library is doing, what kind of information it collects, the ads it serves or how it interacts with user-devices. Some ad libraries are perfectly straight-forward and responsible. Some are deceitful and reckless.
One such popular ad library deployed widely on Google’s Android operating system boasts a handful of excessive and intrusive features, contains a plethora of dynamic and potentially exploitable vulnerabilities, and has been downloaded in apps more than 200 million times. So reckless is the behavior of this particular library that the researchers from FireEye who analyzed it won’t even mention it by name, instead referring to it as “Vulna,” a melding of the two words they claim describe the library best: vulnerable and aggressive.
Like many ad libraries, Vulna has the capacity to collect sensitive information like the contents of text messages, call history, and contact lists. In addition – and more troubling – these Vulna ads can also execute downloaded code (aka install stuff) on the Android devices in which affiliated apps are installed.
What’s worse yet, the laundry list of vulnerabilities affecting the Vulna advertising service means that remote hackers can exploit any number of bugs, taking control of any of the ad network’s features, and using them maliciously against the user whose device Vulna is present on. In other words – and this is the reason that FireEye isn’t publicly calling the network out by name – the millions of devices that Vulna is serving ads to are theoretically susceptible to a vast array of attacks.
Taken together with the vulnerabilities, which mostly have to do with a lack of encryption as data travels in both directions between Vulna’s servers and end-user devices, a knowledgeable attacker could theoretically do any of the following bad things: Steal two-factor codes sent via standard messaging service (SMS), view photos and stored files, install malicious applications and icons on the home screen, delete files and data, impersonate the phone’s true owner for phishing and other purposes, delete incoming text messages, make phone calls, secretly use the camera and change bookmarks so they point to malicious sites. Other malicious possibilities include eavesdropping on affected devices over public Wi-Fi, installing botnet malware, and hijacking Vulna’s domain name system (DNS) servers, allowing the attacker to redirect the ad network’s traffic away from where it is supposed to go and toward a site controlled by the attacker, which is what happened in a recent and widely publicized attack on Twitter and the New York Times.
Adding insult to injury, it’s difficult for a user to even know if they have an application installed on their phone that is affiliated with Vulna because of the way it receives HTTP commands from the controller server. Its code is proprietary and obfuscated (as opposed to open-source), meaning that only its creators are allowed to examine it and it’s generally hard to know what the ad network is up to at any given time.
Luckily, FireEye was much more explicit about the actual identity of Vulna when they contacted Google and the company responsible for the Vulna ad libraries. FireEye recently announced that both Google and the company responsible have made a number of positive changes. Google removed a number of the applications most flagrantly abusing these behaviors and revoked the developer accounts responsible for them. Many developers updated their apps, allowing the invasive version of Vulna while others decided to drop Vulna altogether.
Unfortunately, many Android users do not install application updates and will therefore remain vulnerable to this threat. In fact, FireEye estimates that some 166 million downloads still contain the bad version of Vulna.
We obviously recommend that everybody install updates, because if you refuse to install updates there is almost nothing anyone can do to help you. You also need to be aware of adware. Paid versions of applications may seem like a waste of money when there are free apps that serve the same purpose, but the hard truth is that nothing is free. Most so-called “free” apps are ad-supported and – as the case of Vulna so perfectly illustrates – it’s often impossible to know for certain what these ad libraries are up to and how they are maintained.
Imagine for a second that an attacker were to hijack Vulna’s DNS servers and redirect all of its clicks to a site hosting a credential-stealing, banking trojan. Millions of users could potentially have their bank accounts compromised. The costs, both in terms of time and money, associated with recovering a bank account would surely exceed the couple of dollars it might have cost to use the non-ad-supported app in the first place. Of course, paid apps aren’t always available or affordable. At the very least, read and continually monitor the permissions of the apps you download and disable third-party installs whenever possible.
This blog entry first appeared on MEF Member Kaspersky Lab’s blog. Brian Donohue is a Kaspersky Lab Mobile expert.