Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Ad Networks Target Mobile Devices

Malicious Web advertising has long been a way for attackers to compromise PCs, but now the technique appears to be making its way to the world of mobile devices.

Malicious Web advertising has long been a way for attackers to compromise PCs, but now the technique appears to be making its way to the world of mobile devices.

According to Palo Alto Networks, attackers are using malicious ads to silently infect users. Mobile ad networks require the mobile application to reach out to the Web and pull the correct ad, which requires the developer install a software development kit [SDK] or other software into the mobile application so the ad can be displayed. In the event the ad network is malicious, this effectively brings malicious content to anyone who downloads the application.

“There is a very low barrier to entry for someone to become an ad network,” said Wade Williamson, senior security analyst, Palo Alto Networks. “Some open source software and a bit of marketing can get the ball rolling. Secondly, there are a lot of independent app developers and by and large ads are the way that they make any money off of their applications. So they are naturally going to looking for the best deals that they can – A disreputable ad network can promise a developer higher returns and lure in developers pretty easily.”

Once the device is compromised, the attackers can use it to make calls to premium numbers and commit other types of malicious acts.  

So far, only a handful of this type of malware has been seen in the wild, Williamson told SecurityWeek. The attacks are largely slipping under the radar, primarily because the malware was unknown and the delivery method uses the way mobile applications are supposed to behave.

This is not the first time this type of malicious ad networks has been found targeting mobile users.  In April, Lookout Mobile Security detected a malware threat known as BadNews in 32 apps from four different developer accounts found on Google Play. The applications were downloaded between two million and nine million times before being removed by Google.

Last December, Trend Micro noted the threat this posed in a report entitled ‘The Hidden Risk Behind Mobile Ad Networks’, and observed that some of the top mobile ad networks had recently released new SDKs with mandated opt-in mechanisms that give app users the option to either allow or forbid ad networks to collect data and display ads outside of apps.

“The industry has been spending its time trying to make sure that the applications in app stores are safe and free of malware,” he said. “But this method can take a completely valid and benign application and use it bring down malware. If the malware file isn’t known, then it’s very easy for this behavior to go unnoticed.”

Research into the origin of the threat is ongoing, but according to Palo Alto Networks, the samples they discovered originated in Asia. To help combat the threat, the company has added new capabilities in its WildFire malware analysis sandbox that enable it to analyze Android applications in the APK file format to detect malicious content embedded within Android applications.

“There is very little that a user can do for this type of problem because this type of infection can happen even if the end user does everything right,” Williamson said. “I think the industry needs to do a better job of establishing reputation for reputable ad networks so that developers can easily choose a service that is established and safer.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.