Malicious Web advertising has long been a way for attackers to compromise PCs, but now the technique appears to be making its way to the world of mobile devices.
According to Palo Alto Networks, attackers are using malicious ads to silently infect users. Mobile ad networks require the mobile application to reach out to the Web and pull the correct ad, which requires the developer install a software development kit [SDK] or other software into the mobile application so the ad can be displayed. In the event the ad network is malicious, this effectively brings malicious content to anyone who downloads the application.
Once the device is compromised, the attackers can use it to make calls to premium numbers and commit other types of malicious acts.
So far, only a handful of this type of malware has been seen in the wild, Williamson told SecurityWeek. The attacks are largely slipping under the radar, primarily because the malware was unknown and the delivery method uses the way mobile applications are supposed to behave.
This is not the first time this type of malicious ad networks has been found targeting mobile users. In April, Lookout Mobile Security detected a malware threat known as BadNews in 32 apps from four different developer accounts found on Google Play. The applications were downloaded between two million and nine million times before being removed by Google.
Last December, Trend Micro noted the threat this posed in a report entitled ‘The Hidden Risk Behind Mobile Ad Networks’, and observed that some of the top mobile ad networks had recently released new SDKs with mandated opt-in mechanisms that give app users the option to either allow or forbid ad networks to collect data and display ads outside of apps.
“The industry has been spending its time trying to make sure that the applications in app stores are safe and free of malware,” he said. “But this method can take a completely valid and benign application and use it bring down malware. If the malware file isn’t known, then it’s very easy for this behavior to go unnoticed.”
Research into the origin of the threat is ongoing, but according to Palo Alto Networks, the samples they discovered originated in Asia. To help combat the threat, the company has added new capabilities in its WildFire malware analysis sandbox that enable it to analyze Android applications in the APK file format to detect malicious content embedded within Android applications.
“There is very little that a user can do for this type of problem because this type of infection can happen even if the end user does everything right,” Williamson said. “I think the industry needs to do a better job of establishing reputation for reputable ad networks so that developers can easily choose a service that is established and safer.”
