Solved

Android adware that MUST NOT BE NAMED threatens MILLIONS

  • 9 October 2013
  • 14 replies
  • 2596 views

Userlevel 7
Badge +54
A popular mobile ad library used by multiple Android apps poses a severe malware threat, researchers at infosec firm FireEye have warned. The security researchers said that altogether 200 million affected apps had been downloaded.
This ad library aggressively collects sensitive data and is able to perform dangerous operations such as calling home to a command-and-control server before downloading and running secondary components on demand.
 Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library could potentially be used to conduct large-scale attacks on millions of users, FireEye refers to it anonymously by the code name “Vulna” rather than revealing its true identity.
An analysis of the most popular apps (those with over one million downloads) on Google Play reveals that 1.8 per cent of them used "Vulna". The potentially affected apps have been downloaded more than 200 million times in total.
 
Full Article
icon

Best answer by CameronP 16 October 2013, 22:19

View original

14 replies

Userlevel 7
Thanks for posting this! It's a very interesting story and our threat researchers are currently investigating the threat.
Userlevel 7
@ wrote:
Thanks for posting this! It's a very interesting story and our threat researchers are currently investigating the threat.
Yegor, 
 
I am pretty sure my phone is clean of that library, but please do let us know what the Threat Researchers find out about it, as well as how to tell if your phone has it on it for those of us who have a device too old to run the current Webroot Mobile!
Userlevel 7
A frightening thing!

I have a few applications on my Android device which display ads, so I am very eager to know whether installed WSA Complete protects my phone and how to verify that phone isn't plagued by this adware.
 
Yegor, please keep us informed!
 
Thanks!
Userlevel 7
@ sorry to catch you up but do you have any information from researchers? We should know where we are.
Userlevel 7
Many security vendors have been marking ad providers as adware/malware for exhibiting similar behaviors. We already protect against many different ad libraries capable of the exact same behaviors described by FireEye.
 
Both, Google and the developer of the software have been notified about the threat.
 
Webroot identifies malicious behaviors and marks apps accordingly. In this case, FireEye already claims to have addressed the issue direcltly with Google themselves.
Userlevel 7
OK, thanks Mike for the explanation.
 
Does it mean that even if I have a few free Android applications installed which show ads they are harmless in fact because otherwise WSA would catch them as bad?
Userlevel 7
We wouldn't allow you to install apps with malicious ads and we notify Google if we find any. 
 
Hypothetically, if you were to click on a malicious ad in an app like a browser, the Execution Shield would come into play and keep you protected.
Userlevel 7
OK, I am not afraid of new installations.
 
My concern is in already installed applications which are NOT browsers. For instance Clean Master (very reputable Android cleaner, more than 10,000,000 downloads) that shows ads. How WSA will recognize that streamed ads are safe?
Userlevel 7
They are determined 'good' or 'bad' by their behavior. 
 
If their behavior is malicious, we work with Google to remove them.
Userlevel 7
@ wrote:
They are determined 'good' or 'bad' by their behavior. 
 
If their behavior is malicious, we work with Google to remove them.
OK, understood. Though if they are found malicious what risks they pose on Android device? Saying "removed by Google" you probably mean removed from Play Store but what happens with this application in phone? Will WSA delete it or ...?
 
Sorry to bother you but I have sense for details :D
Userlevel 4
As Mike said, clicking an ad could lead you to something malicious, but that is what the web shield and/or execution shield are for. (Different shields depending on if the ad is trying to install an app or simply bring you to a website.) This is something the ad provider would need to prevent on their end as well, since if they are legitimate they probably don't want malicious ads being streamed to their users. :p
 
Apps already installed will have the ad provider code imbedded in them. This code is what we look at to determine if the ad provider is safe or not. The malicious/vulnerable ad providers are ones who have code to gather too much data or change their functionality on the fly (like how Vulna is described). In the cases of providers who's code is benign, to change the imbedded code they would need to have the developer update the app on the Play store with the new code and then the Play store will have you update the app. At that point, Webroot will scan the app and if the new version is deemed malicious Webroot will pop up.
 
If we deem any existing/installed app's ad provider code to be malicious, the next time a scan is run on your phone, the installed app will be detected by Webroot and you will receive a prompt to uninstall the app.
Userlevel 7
Thanks Cameron for the thorough explanation. ;)
 
However, I have a question ...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Don't worry ... I am filled with enough information. :D
Userlevel 4
Haha, always glad to help clear some stuff up.
Userlevel 7
Badge +54
Google pulls all Android apps linked to adware badness THAT MUST NOT BE NAMED
 
Google has pulled multiple Android apps that relied on a popular mobile app library that posed a severe security risk.

The ad library, codenamed “Vulna” (or Ap Vulna") by FireEye, the net society firm that uncovered the threat, aggressively collects sensitive data as well as being able to perform dangerous operations such as phoning home to a command-and-control server before downloading and running secondary components on demand.

In the two weeks since the alarm about Vulna first went out, Google has removed numerous apps from Google Play that relied on the technology. It has also cancelled a number of Developer accounts, as a follow-up blog post on the issue by FireEye explains.

    A number of these vulnaggressive apps and their developers’ accounts have been taken down from Google Play, including app developer Main Games Mobile, Itch Mania and Popadworld. The total number of downloads of these apps was more than six million before the take-down. Sadly, while removing these apps from Google Play prevents more people from being infected, the millions of devices that already downloaded them remain vulnerable.

    Second, a number of apps from the list that we reported to Google and Ad Vulna have updated the ad library included in the app to the newest version, which fixes many of the security issues we found. Moreover, a number of other apps, such as Mr. Number Blocker with more than 5 million downloads, have simply removed the vulnaggressive ad library Ad Vulna. The total number of downloads of these apps before they were updated was more than 26 million. Unfortunately, many users do not update their downloaded apps often, and hence millions of users of these apps will still be vulnerable until they update to the latest version of the apps.
 
Full Story

Reply