Mobile Advertising and What it Means for Security

If Controlling Mobile Malware Isn’t on Your Radar, it Definitely Should Be…

Last week Facebook blew past Wall Street’s expectations, driven heavily by aggressive growth in revenues generated by their mobile advertising business. Facebook derives most of their revenue from advertising, and over the past year mobile ad revenue as risen dramatically from 14% to 41% of Facebook’s total ad revenue. So you may be thinking, “that’s nice for Facebook, but what does that have to do with security?” Well, potentially quite a lot.

Simply put, Facebook’s results show just how much of a big business mobile advertising is becoming. The problem is that not all ad networks are as reputable as Facebook – some in fact are downright malicious. As an example, an ad network called “BadNews” was recently revealed to actually be a network for distributing mobile malware. This is a particularly insidious method for delivering malware, and to truly understand it you need to know a bit about the interrelationship between applications and ad networks.

It’s no secret that advertising drives considerable revenue for web applications as well as mobile applications. Many mobile applications will have a paid version as well as a free version subsidized by ad revenue. The issue is that those applications need to have a hook built in to talk to the appropriate ad network, so that they can serve the right ads, and ultimately get paid. The problem is a completely benign application (or application developer) can unwittingly get involved with a malicious ad network that pushes malware. So an unsuspecting developer has the potential to install a benign library that reaches out to an ad/malware network that delivers malware back to the user’s device. Because the original app is itself, not malicious, these applications can be found on reputable app stores. For example, benign applications connected with BadNews was found on Google Play.

All of this leads to a major collision of macro-economic trends with security implications at the center of it all. The growth of mobile devices, whether in the form of smart-phones or tablets is self-evident. These same devices for the most part lack consistent security protections, especially from new mobile malware. Advertisements and the ad networks that deliver them directly support many of the applications that make these devices so compelling.

Lastly, these mobile devices, once on the enterprise network, are essentially fully functional computers. So put altogether we have a massive number of unprotected devices, a potentially integrated distribution network for malware in the form of ad networks, quietly feeding malware to the devices on our networks.

It’s important to note that the examples of this type of strategy are still relatively rare compared to what we see in terms of malware targeting PCs. However, as security professionals, it’s our job to see around the corner whenever possible. While the sky is not falling, if controlling mobile malware isn’t on your radar, it definitely should be.