Security Experts:

Mobile Advertising and What it Means for Security

If Controlling Mobile Malware Isn’t on Your Radar, it Definitely Should Be...

Last week Facebook blew past Wall Street’s expectations, driven heavily by aggressive growth in revenues generated by their mobile advertising business. Facebook derives most of their revenue from advertising, and over the past year mobile ad revenue as risen dramatically from 14% to 41% of Facebook’s total ad revenue. So you may be thinking, “that’s nice for Facebook, but what does that have to do with security?” Well, potentially quite a lot.

Simply put, Facebook’s results show just how much of a big business mobile advertising is becoming. The problem is that not all ad networks are as reputable as Facebook – some in fact are downright malicious. As an example, an ad network called “BadNews” was recently revealed to actually be a network for distributing mobile malware. This is a particularly insidious method for delivering malware, and to truly understand it you need to know a bit about the interrelationship between applications and ad networks.

Malicious Mobile AdsIt’s no secret that advertising drives considerable revenue for web applications as well as mobile applications. Many mobile applications will have a paid version as well as a free version subsidized by ad revenue. The issue is that those applications need to have a hook built in to talk to the appropriate ad network, so that they can serve the right ads, and ultimately get paid. The problem is a completely benign application (or application developer) can unwittingly get involved with a malicious ad network that pushes malware. So an unsuspecting developer has the potential to install a benign library that reaches out to an ad/malware network that delivers malware back to the user’s device. Because the original app is itself, not malicious, these applications can be found on reputable app stores. For example, benign applications connected with BadNews was found on Google Play.

All of this leads to a major collision of macro-economic trends with security implications at the center of it all. The growth of mobile devices, whether in the form of smart-phones or tablets is self-evident. These same devices for the most part lack consistent security protections, especially from new mobile malware. Advertisements and the ad networks that deliver them directly support many of the applications that make these devices so compelling.

Lastly, these mobile devices, once on the enterprise network, are essentially fully functional computers. So put altogether we have a massive number of unprotected devices, a potentially integrated distribution network for malware in the form of ad networks, quietly feeding malware to the devices on our networks.

It’s important to note that the examples of this type of strategy are still relatively rare compared to what we see in terms of malware targeting PCs. However, as security professionals, it’s our job to see around the corner whenever possible. While the sky is not falling, if controlling mobile malware isn’t on your radar, it definitely should be.

view counter
Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.