CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Mobile Ad SDK Exposes iOS Users to Remote Attacks

Vpon ad SDK exposes iOS users to attacks

Vpon ad SDK exposes iOS users to attacks

The iOS version of a mobile advertising software development kit (SDK) used by developers in China and Taiwan has been found to contain code that allows malicious actors to remotely access and steal sensitive information from devices.

FireEye researchers discovered that the Vpon ad SDK for iOS includes code that allows application developers, the creator of the SDK, or malicious third parties to send remote commands to the app and instruct it to record audio, capture screenshots and videos, harvest the device’s location, access the address book, read and modify files within the app’s sandbox, exfiltrate data to remote servers, and identify and launch applications installed on the device.

Experts determined that the code is included only in versions of Vpon’s SDK that have been integrated with a platform from AdsMogo, a company that claims to be the largest mobile supply-side platform (SSP) and ad exchange in China.

According to FireEye, the malicious capabilities introduced by the use of the ad SDK are delivered through plugins of Apache Cordova, the open source mobile development framework that allows users to leverage web technologies such as HTML5 and JavaScript for cross-platform development.

These Cordova plugins allow app developers to interact with the operating system and the hardware, including the accelerometer, geolocation, the camera, media, contacts, and storage.

While Vpon has implemented these plugins, the capabilities they offer are not available to developers in the company’s standard SDK. However, AdsMogo provides a piece of software that allows app developers to integrate the Vpon SDK with the plugin capabilities enabled.

FireEye reported identifying 36 iOS applications containing the risky code on the Apple App Store. Apple has been informed about the issue, but it has not provided any feedback to the security firm. Vpon has ignored FireEye’s notifications and it has not responded to SecurityWeek’s request for comment by the time of publication.

While researchers have not captured any network traffic during their investigation to determine if the potentially malicious code is actually being used, they said they see no justification for Vpon to need these capabilities.

Advertisement. Scroll to continue reading.

Experts pointed out that in addition to the provider of the SDK, an attacker with a privileged position on the network could also leverage the capabilities offered by the SDK to target users.

This is not the first time FireEye has detailed the threat posed by ad SDKs. Last year, the company analyzed iBackdoor, a backdoored library that leveraged JavaScript to manipulate devices and exfiltrate sensitive information.

“Third party libraries – ad libraries in particular – are often unvetted by the community. It is common and expected that app developers will integrate third party libraries into their apps, so developers should exert caution,” FireEye researchers Jing Xie and Jimmy Su explained.

Related Reading: iOS App Patching Solutions Introduce Security Risks

Related Reading: Malvertising Campaign Abuses Baidu Ad API

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.