Advertising SDK Can Be Hijacked for Making Phone Calls, Geo-Locating
Most developers rely on an advertising SDK to monetize a free mobile application.
But amid a boom in both advertising and Android app market development, some SDK implementations might pose a risk to application consumers connecting via unsafe networks. Such is the case with Widdit, an advertising framework that uses an interesting technique for implementing new features without requesting additional permissions.
A word from the sponsors
The SDK that gets shipped with the mobile application is a stripped-down downloader for the actual SDK. The downloader requests all the permissions it might ever need (and even more) at install time to make sure all features added in upcoming versions of the SDK will have no problem running on the mobile device.
When the user starts the application, it connects to the Internet and checks the latest version of the SDK, then fetches it – a JAR file – from the web.
Based on our telemetry, we identified approximately 1,640 applications on Google Play, of which 1,122 have been taken down already.
We mentioned before that the SDK asks for a multitude of mandatory permissions and event receivers. These permissions are not necessarily used by the SDK, but requesting them ensures that anything introduced later in the SDK will work out of the box. Among the weirdest permissions we saw are permissions to disable the lock-screen, to record audio or to read browsing history and bookmarks.
The SDK can also execute specific code when one of the following events is detected on the phone: when the phone has rebooted, when it receives an SMS, when a call is placed, when an application is installed or uninstalled or when an intent occurs from the GoogleCloudMessaging API.
Expanding the attack surface
When designing Android applications, developers of any kind should obey the core application quality guidelines provided by Google. More to the point, the Android App Development Guidelines include a provision known as FN-P1 that states the application should request the absolute minimum permissions it needs to support core functionality. The more unnecessary permissions, the larger the application’s attack surface.
When analyzing the framework, we detected two other unusual behaviors with the framework’s implementation. One is that the download of the JAR file takes place via HTTP (unencrypted), while the second is the lack of security or integrity checks implemented within the downloader to see whether the JAR is authorized or has been manipulated on the way. This leaves room for plenty of man-in-the-middle attacks.
We set up a “rogue network” with a proxy server that intercepted the original update request from applications monetized with Widdit. When the downloader initiated the request, the proxy served a slightly altered JAR file that included phone calling and SMS hijacking capabilities along with logging for both behaviors. The application downloaded and ran the JAR file and executed the malicious code without objection, as it had been granted phone calling and SMS interception permission upon installation.
The test, though carried in a controlled environment, can only spell danger. Most Android-powered devices are mobile and spend most of the time connected on Wi-Fi networks that are untrusted and could potentially be used to automate this kind of attacks.
The Android ecosystem has become extremely rich in applications just because advertising frameworks support the bulk of the development costs and allow developers to further create or enrich existing applications. But with great power comes great responsibility and sometimes features end up abused because of faulty implementation. Since these complex operations take place under the hood and often show no hints or warnings to the end-user, it is Clueful’s mission to transparently inform the user of the dangers they face when installing such applications.
This is not the only framework vulnerable to man-in-the-middle attacks identified lately. In November, Bitdefender researchers Vlad Bordianu and Tiberius Axinte replicated the same type of attack against the Vulna/AppLovin framework.
We have added a Clueful detection for applications built with Widdit. Clueful can be downloaded directly from Google Play either as a stand-alone product or as part of the Premium Bitdefender Mobile security.
Article courtesy of Bitdefender mobile researchers Vlad Bordianu and Tiberius Axinte.