More Android malware distributed through mobile ad networks

Security researchers from Palo Alto Networks found Android apps downloading malware from rogue mobile ad networks

Mobile ad networks can provide a loophole to serve malware to Android devices, according to researchers from security firm Palo Alto Networks who have found new Android threats being distributed in this manner.

Most mobile developers embed advertising frameworks into their applications in order to generate revenue. Unlike ads displayed inside Web browsers, ads displayed within mobile apps are served by code that's actually part of those applications.

The embedding of code for the advertising network into a mobile application itself ensures that ads get tracked and the developers get paid, but at the same time this third-party code represents a backdoor into the device, said Wade Williamson, senior security analyst at Palo Alto Networks, in a Monday blog post.

"If the mobile ad network turns malicious, then a completely benign application could begin bringing down malicious content to the device," Williamson said. "What you have at that point is a ready-made botnet."

There are precedents for this type of attack. In April, mobile security firm Lookout identified 32 apps hosted on Google Play that were using a rogue ad network later dubbed BadNews. The apps were benign, but the malicious ad network was designed to push toll fraud malware targeting Russian-speaking users through those apps. The malware masqueraded as updates for other popular applications.

According to Williamson, researchers from Palo Alto Networks recently came across a similar attack in Asia that involved using a rogue ad network to push malicious code through other apps without being detected by mobile antivirus vendors.

The malicious payload pushed by the ad network runs quietly in the device memory and waits for users to initiate the installation of any other application, Williamson said. At that point, it prompts users to also install and grant permissions to the malware, appearing as if it's part of the new application's installation process, he said.

"This is a very elegant approach that doesn't really require the end-user to do anything 'wrong'," the researcher said.

Once installed, the malware has the ability to intercept and hide received text messages, as well as to send text messages in order to sign up users for premium-rate mobile services, Palo Alto Networks said in a description of the attack sent via email.

Such attacks are probably specific to certain geographic regions, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, Tuesday via email.

Botezatu expects the distribution of malware through mobile ad networks to become more common, especially in countries where mobile devices can't access the official Google Play store or where users have difficulties in purchasing applications in a legitimate manner, causing most Android devices to be configured to accept APKs (Android application packages) from unknown sources.

That doesn't mean that apps that deliver malware through ad networks can't make it into Google Play, as the BadNews incident has shown.

Google Play checks APKs for malware before approving them, so getting an infected APK uploaded there can be very hard, Botezatu said. However, a malicious ad server could lay dormant until after the application is approved and then start delivering malware, he said.

Botezatu believes that users are more likely to fall victim to "malvertising" -- malicious advertising -- attacks launched through mobile apps than Web browsers. That's because there have been many incidents of ad-based malware infections on computers and users are probably more careful about what they click on inside their browsers, he said.

Android users should make sure that their devices are not configured to allow the installation of apps from unknown sources and should run a mobile antivirus product, which might be able to detect malicious apps delivered through ad networks, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags Android OSsecuritymobile securitymobilefraudbitdefendermalwaremobile applicationspalo alto networks

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?