The iOS version of a mobile advertising software development kit (SDK) used by developers in China and Taiwan has been found to contain code that allows malicious actors to remotely access and steal sensitive information from devices.
FireEye researchers discovered that the Vpon ad SDK for iOS includes code that allows application developers, the creator of the SDK, or malicious third parties to send remote commands to the app and instruct it to record audio, capture screenshots and videos, harvest the device’s location, access the address book, read and modify files within the app’s sandbox, exfiltrate data to remote servers, and identify and launch applications installed on the device.
Experts determined that the code is included only in versions of Vpon’s SDK that have been integrated with a platform from AdsMogo, a company that claims to be the largest mobile supply-side platform (SSP) and ad exchange in China.
According to FireEye, the malicious capabilities introduced by the use of the ad SDK are delivered through plugins of Apache Cordova, the open source mobile development framework that allows users to leverage web technologies such as HTML5 and JavaScript for cross-platform development.
These Cordova plugins allow app developers to interact with the operating system and the hardware, including the accelerometer, geolocation, the camera, media, contacts, and storage.
While Vpon has implemented these plugins, the capabilities they offer are not available to developers in the company’s standard SDK. However, AdsMogo provides a piece of software that allows app developers to integrate the Vpon SDK with the plugin capabilities enabled.
FireEye reported identifying 36 iOS applications containing the risky code on the Apple App Store. Apple has been informed about the issue, but it has not provided any feedback to the security firm. Vpon has ignored FireEye’s notifications and it has not responded to SecurityWeek’s request for comment by the time of publication.
While researchers have not captured any network traffic during their investigation to determine if the potentially malicious code is actually being used, they said they see no justification for Vpon to need these capabilities.
Experts pointed out that in addition to the provider of the SDK, an attacker with a privileged position on the network could also leverage the capabilities offered by the SDK to target users.
This is not the first time FireEye has detailed the threat posed by ad SDKs. Last year, the company analyzed iBackdoor, a backdoored library that leveraged JavaScript to manipulate devices and exfiltrate sensitive information.
“Third party libraries – ad libraries in particular – are often unvetted by the community. It is common and expected that app developers will integrate third party libraries into their apps, so developers should exert caution,” FireEye researchers Jing Xie and Jimmy Su explained.
Related Reading: iOS App Patching Solutions Introduce Security Risks
Related Reading: Malvertising Campaign Abuses Baidu Ad API