In most cases, the \u201cfree\u201d Android applications you download from Google\u2019s Play store aren\u2019t free at all. These developers aren\u2019t just developing apps for you out of the kindness of their collective hearts. Like most online services that don\u2019t ask for the tradition up-front payment, the mobile application profit-model relies on advertising and in-app purchases.<\/p>\n
During the development process, whoever is building an application will often choose some third party ad library and bundle it into their app. Once an app is live in the Google Play store and starts getting downloaded by Android users, that third-party company is responsible for serving ads and paying the application\u2019s developer.<\/p>\n
Neither the developer nor the user have any control over what this ad library is doing, what kind of information it collects, the ads it serves or how it interacts with user-devices. Some ad libraries are perfectly straight-forward and responsible. Some are deceitful and reckless.<\/p>\n
One such popular ad library deployed widely on Google\u2019s Android operating system boasts a handful of excessive and intrusive<\/a> features, contains a plethora of dynamic and potentially exploitable vulnerabilities, and has been downloaded in apps more than 200 million times. So reckless is the behavior of this particular library that the researchers from FireEye who analyzed it<\/a> won\u2019t even mention it by name, instead referring to it as \u201cVulna,\u201d a melding of the two words they claim describe the library best: vulnerable and aggressive.<\/p>\n Like many ad libraries, Vulna has the capacity to collect sensitive information like the contents of text messages, call history, and contact lists. In addition \u2013 and more troubling \u2013 these Vulna ads can also execute downloaded code (aka install stuff) on the Android devices in which affiliated apps are installed.<\/p>\n What\u2019s worse yet, the laundry list of vulnerabilities affecting the Vulna advertising service means that remote hackers can exploit<\/a> any number of bugs, taking control of any of the ad network\u2019s features, and using them maliciously against the user whose device Vulna is present on. In other words \u2013 and this is the reason that FireEye isn\u2019t publicly calling the network out by name \u2013 the millions of devices that Vulna is serving ads to are theoretically susceptible to a vast array of attacks.<\/p>\n Taken together with the vulnerabilities, which mostly have to do with a lack of encryption as data travels<\/a> in both directions between Vulna\u2019s servers and end-user devices, a knowledgeable attacker could theoretically do any of the following bad things: Steal two-factor codes<\/a> sent via standard messaging service (SMS), view photos<\/a> and stored files, install malicious applications and icons on the home screen, delete files and data, impersonate the phone\u2019s true owner for phishing and other purposes, delete incoming text messages, make phone calls, secretly use the camera and change bookmarks so they point to malicious sites. Other malicious possibilities include eavesdropping on affected devices over public Wi-Fi, installing botnet malware, and hijacking Vulna\u2019s domain name system (DNS) servers, allowing the attacker to redirect the ad network\u2019s traffic away from where it is supposed to go and toward a site controlled by the attacker, which is what happened in a recent and widely publicized attack on Twitter and the New York Times<\/a>.<\/p>\n Adding insult to injury, it\u2019s difficult for a user to even know if they have an application installed on their phone that is affiliated with Vulna because of the way it receives HTTP commands from the controller server. Its code is proprietary and obfuscated (as opposed to open-source), meaning that only its creators are allowed to examine it and it\u2019s generally hard to know what the ad network is up to at any given time.<\/p>\n Luckily, FireEye was much more explicit about the actual identity of Vulna when they contacted Google and the company responsible for the Vulna ad libraries. Just yesterday<\/a> FireEye announced that both Google and the company responsible have made a number of positive changes. Google removed a number of the applications most flagrantly abusing these behaviors and revoked the developer accounts responsible for them. Many developers updated their apps, allowing the invasive version of Vulna while others decided to drop Vulna altogether.<\/p>\n Unfortunately, many Android users do not install application updates and will therefore remain vulnerable to this threat. In fact, FireEye estimates that some 166 million downloads still contain the bad version of Vulna.<\/p>\n We obviously recommend that everybody install updates, because if you refuse to install updates there is almost nothing anyone can do to help you. You also need to be aware of adware. Paid versions of applications may seem like a waste of money when there are free apps that serve the same purpose, but the hard truth is that nothing is free. Most so-called \u201cfree\u201d apps are ad-supported and \u2013 as the case of Vulna so perfectly illustrates \u2013 it\u2019s often impossible to know for certain what these ad libraries are up to and how they are maintained.<\/p>\n