Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions

FireEye researchers have discovered a rapidly-growing class of
mobile threats represented by a popular ad library affecting apps
with over 200 million downloads in total. This ad library,
anonymized as “Vulna,” is aggressive at collecting
sensitive data and is able to perform dangerous operations such as
downloading and running new components on demand. Vulna is also
plagued with various classes of vulnerabilities that enable
attackers to turn Vulna’s aggressive behaviors against users. We
coined the term “vulnaggressive” to describe this class of
vulnerable and aggressive characteristics. Most vulnaggresive
libraries are proprietary and it is hard for app developers to know
their underlying security issues. Legitimate apps using
vulnaggressive libraries present serious threats for enterprise
customers. FireEye has informed both Google and the vendor of Vulna
about the security issues and they are actively addressing it.

Recently FireEye
discovered a new mobile threat from a popular ad library that no other
anti-virus or security vendor has reported publicly before. Mobile ad
libraries are third-party software included by host apps in order to
display ads. Because this library’s functionality and vulnerabilities
can be used to conduct large-scale attacks on millions of users, we
refer to it anonymously by the code name “Vulna” rather than revealing
its identity in this blog.

We have analyzed all Android apps with over one million downloads on
Google Play, and we found that over 1.8% of these apps used Vulna.
These affected apps have been downloaded more than 200 million times
in total.

Though it is widely known that ad libraries present privacy risks
such as collecting device identifiers (IMEI, IMSI, etc.) and location
information, Vulna presents far more severe security issues. First,
Vulna is aggressive—if instructed by its server, it will collect
sensitive information such as text messages, phone call history, and
contacts. It also performs dangerous operations such as executing
dynamically downloaded code. Second, Vulna contains a number of
diverse vulnerabilities. These vulnerabilities when exploited allow an
attacker to utilize Vulna’s risky and aggressive functionality to
conduct malicious activity, such as turning on the camera and taking
pictures without user’s knowledge, stealing two-­factor authentication
tokens sent via SMS, or turning the device into part of a botnet.

We coin the term “vulnaggressive” to describe this class of
vulnerable and aggressive characteristics.

The following is a sample of the aggressive behaviors and
vulnerabilities we have discovered in Vulna:

  • Aggressive Behaviors

    • In addition to collecting information used for targeting and
      tracking such as device identifiers and location, as many ad
      libraries do, Vulna also collects the device owner’s email
      address and the list of apps installed on the device.
      Furthermore, Vulna has the ability to read text messages,
      phone call history, and contact list, and share this data
      publicly without any access control through a web service that
      it starts on the device.

    • Vulna will download arbitrary code and execute it when
      instructed by the remote server.

  • Vulnerabilities

    • Vulna transfers user’s private information over HTTP in plain
      text, which is vulnerable to eavesdropping attacks.

    • Vulna also uses unsecured HTTP for receiving commands and
      dynamically loaded code from its control server. An attacker
      can convert Vulna to a botnet by hijacking its HTTP traffic
      and serving malicious commands and code.

    • Vulna uses Android’s WebView with JavaScript-­to-­Java
      bindings in an insecure way. An attacker can exploit this
      vulnerability and serve malicious JavaScript code to perform
      harmful operations on the device. This vulnerability is an
      instance of a common JavaScript binding vulnerability which
      has been estimated to affect over 90% of Android devices.

      Vulna’s aggressive behaviors and vulnerabilities expose
      Android users, especially enterprise users, to serious
      security threats. By exploiting Vulna’s vulnaggressive
      behaviors, an attacker could download and execute arbitrary
      code on user’s device within Vulna’s host app. From our study,
      many host apps containing Vulna have powerful permissions that
      allow controlling the camera; reading and/or writing SMS
      messages, phone call history, contacts, browser history and
      bookmarks; and creating icons on home screen. An attacker
      could utilize these broad permissions to perform malicious
      actions. For example, attackers could:

      • steal two-factor
        authentication token sent via SMS
      • view photos and
        other files on the SD card
      • install icons used for
        phishing attacks on the home screen
      • delete files
        and destroy data on demand
      • impersonate the owner
        and send forged text messages to business partners
      • delete incoming text messages without the user’s
        notice
      • place phone calls
      • use the camera to
        take photos without user’s notice
      • read bookmarks or
        change them to point to phishing sites

      There
      are many possible ways an attacker could exploit Vulna’s
      vulnerabilities. One example is public WiFi hijacking: when
      the victim’s device connects to a public WiFi hotspot (such as
      at a coffee shop or an airport), an attacker nearby could
      eavesdrop on Vulna’s traffic and inject malicious commands and
      code.

      Attackers can also conduct DNS hijacking to attack
      users around the world, as in the Syrian Electronic Army’s
      recent attacks targeting Twitter, the New York Times, and
      Huffington Post. In a DNS hijacking attack, an attacker could
      modify the DNS records of Vulna’s ad servers to redirect
      visitors to their own control server, in order to gather
      information from or send malicious commands to Vulna on the
      victim’s device.

      Despite the severe threats it poses,
      Vulna is stealthy and hard to detect:

      • Vulna receives commands from its ad server using data
        encoded in HTTP header fields instead of the HTTP response
        body.

      • Vulna obfuscates its code, which makes traditional
        analysis difficult.

      • Vulna’s behaviors can be difficult to trigger using
        traditional analysis. For example, in one popular game,
        Vulna is executed only at certain points in the game, such
        as when a specific level is reached, as shown in the
        figure below. (The figure has been partially blurred to
        hide the identity of the app.) When Vulna is executed, the
        only effect visible to the user is the ad on top of the
        screen. However, Vulna quietly executes its risky
        behaviors in the background.

        Vulna's screen shot

      FireEye Mobile Threat Prevention
      applies a unique approach and technology that made it possible
      to discover the security issues outlined in this post quickly
      and accurately despite these challenges. We have provided
      information about the discovered security issues,  the list of
      impacted apps and suggestions to both Google and the vendor of
      Vulna. They have confirmed the issues and they are actively
      addressing it.

      In conclusion,
      we have discovered a new mobile threat from a popular ad
      library (codenamed “Vulna” for anonymity). This
      library is included in popular apps on Google Play which have
      more than 200 million downloads in total. Vulna is an instance
      of a rapidly­-growing class of mobile threat, which we have
      termed vulnaggressive ad libraries. Vulnaggressive ad
      libraries are disturbingly aggressive at collecting users’
      sensitive data and embedding capabilities to execute dangerous
      operations on demand, and they also contain different classes
      of vulnerabilities which allow attackers to utilize their
      aggressive behaviors to harm users. App developers using these
      third-party libraries are often not aware of the security
      issues in them. These threats are particularly serious for
      enterprise customers. Furthermore, this vulnaggressive
      characteristic is not just limited to ad libraries; it also
      applies to other third-party components and apps.

      Acknowledgement

      Special thanks to FireEye team
      members Adrian Mettler, Peter Gilbert, Prashanth Mohan, and
      Andrew Osheroff for their valuable help on writing this blog.
      We also thank Zheng Bu and Raymond Wei for their valuable
      comments and feedback.

      Appendix: Sample code snippet of collecting and sending
      call logs in Vulna

       

      class x implements Runnable

       

      {

      run(){

      List localList = get_call_log();

      construct_JSON_and_send_to_remote(localList);

      }

      }

      List get_call_log()

      {

      ArrayList localArrayList = new ArrayList();

      Cursor cur1 = getContentResolver().query(CallLog.Calls.CONTENT_URI,

      new String[] { "number", "type", "date" }, null, null,

      "date DESC limit 10");

      cur2 = cur1;

      if (cur2 != null){

      int i = cur2.getColumnIndex("number");

      int j = cur2.getColumnIndex("type");

      while (cur2.moveToNext()){

      String str = cur2.getString(i);

      if ((cur2.getInt(j)==2) && (!localArrayList.contains(str)))

      localArrayList.add(str);

      }

      }

      return localArrayList;

      }

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips