Connect with us

Hi, what are you looking for?


Mobile & Wireless

Mobile Ad SDK Exposes iOS Users to Remote Attacks

Vpon ad SDK exposes iOS users to attacks

Vpon ad SDK exposes iOS users to attacks

The iOS version of a mobile advertising software development kit (SDK) used by developers in China and Taiwan has been found to contain code that allows malicious actors to remotely access and steal sensitive information from devices.

FireEye researchers discovered that the Vpon ad SDK for iOS includes code that allows application developers, the creator of the SDK, or malicious third parties to send remote commands to the app and instruct it to record audio, capture screenshots and videos, harvest the device’s location, access the address book, read and modify files within the app’s sandbox, exfiltrate data to remote servers, and identify and launch applications installed on the device.

Experts determined that the code is included only in versions of Vpon’s SDK that have been integrated with a platform from AdsMogo, a company that claims to be the largest mobile supply-side platform (SSP) and ad exchange in China.

According to FireEye, the malicious capabilities introduced by the use of the ad SDK are delivered through plugins of Apache Cordova, the open source mobile development framework that allows users to leverage web technologies such as HTML5 and JavaScript for cross-platform development.

These Cordova plugins allow app developers to interact with the operating system and the hardware, including the accelerometer, geolocation, the camera, media, contacts, and storage.

While Vpon has implemented these plugins, the capabilities they offer are not available to developers in the company’s standard SDK. However, AdsMogo provides a piece of software that allows app developers to integrate the Vpon SDK with the plugin capabilities enabled.

FireEye reported identifying 36 iOS applications containing the risky code on the Apple App Store. Apple has been informed about the issue, but it has not provided any feedback to the security firm. Vpon has ignored FireEye’s notifications and it has not responded to SecurityWeek’s request for comment by the time of publication.

Advertisement. Scroll to continue reading.

While researchers have not captured any network traffic during their investigation to determine if the potentially malicious code is actually being used, they said they see no justification for Vpon to need these capabilities.

Experts pointed out that in addition to the provider of the SDK, an attacker with a privileged position on the network could also leverage the capabilities offered by the SDK to target users.

This is not the first time FireEye has detailed the threat posed by ad SDKs. Last year, the company analyzed iBackdoor, a backdoored library that leveraged JavaScript to manipulate devices and exfiltrate sensitive information.

“Third party libraries – ad libraries in particular – are often unvetted by the community. It is common and expected that app developers will integrate third party libraries into their apps, so developers should exert caution,” FireEye researchers Jing Xie and Jimmy Su explained.

Related Reading: iOS App Patching Solutions Introduce Security Risks

Related Reading: Malvertising Campaign Abuses Baidu Ad API

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.