New Attack Uses Attackers' Own Ad Network To Deliver Android Malware

← Back to Stories (view on slashdot.org)

New Attack Uses Attackers' Own Ad Network To Deliver Android Malware

Posted by samzenpus on Monday August 12, 2013 @08:52AM from the protect-ya-neck dept.

Trailrunner7 writes "The concept of malware riding shotgun with legitimate mobile apps is not a new one. There have been a slew of cases in which attackers have compromised apps in the Google Play store and inserted malware into the file. But a new attack uncovered by Palo Alto Networks is using a new technique that starts with the user installing an app on her Android phone. The app could be a legitimate one or a malicious one, but it will include some code that, once the app is installed, will reach out to an ad network. Many apps include such code for legitimate ad revenue purposes, but these apps are connecting to a malicious ad network. Once the connection is made, the app will then wait until the user is trying to install another app and will pop up an extra dialog box asking for permission to install some extra code. That code is where the bad things lie. The malicious code immediately gains control of the phone's SMS app for both command and control and in order to sign the victim up for some premium-rate SMS services. The attack is interesting, said Wade Williamson, a senior security analyst at Palo Alto, because the attackers can use a legitimate ad network that's already connected to a group of apps and then at any given time flip the switch and begin using it for malicious purposes."

30 of 59 comments (clear)

Min score:

Reason:

Sort:

Then it is malicious... by RobertM1968 · 2013-08-12 08:56 · Score: 5, Insightful

The app could be a legitimate one or a malicious one, but it will include some code that, once the app is installed, will reach out to an ad network. Many apps include such code for legitimate ad revenue purposes, but these apps are connecting to a malicious ad network.

Inotherwords "but it has malware in it for the ad portion that goes to a malicious ad network" - or the app IS malicious and not legitimate. An app isn't magically legitimate if only some portions of it are malware.

--
StarTrekPhase2 - The Five Year Mission Continues!
1. Re:Then it is malicious... by ackthpt · 2013-08-12 09:00 · Score: 4, Funny
  
  The app could be a legitimate one or a malicious one, but it will include some code that, once the app is installed, will reach out to an ad network. Many apps include such code for legitimate ad revenue purposes, but these apps are connecting to a malicious ad network.
  Inotherwords "but it has malware in it for the ad portion that goes to a malicious ad network" - or the app IS malicious and not legitimate. An app isn't magically legitimate if only some portions of it are malware.
  "Sometimes is difficult differentiate between Stupidware and Malware - Stupidware being sloppily written, which allows attacks and Malware which was purposefully written to allow attacks. Both date back at least a decade. That it's happening on a mobile device is simply a logical iteration of a predictable progression, Captain."
  "That ... still ... does not fix the ... communicator, Spock."
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
2. Re:Then it is malicious... by JakartaDean · 2013-08-12 15:23 · Score: 2
  
  I guess ... I mean, if you want to use words and definitions and stuff, then yes, you're right.
  BTW, this story has some kind of clustersummary. Monkeys and keyboards don't mix.
  I read the summary thinking "citation needed... citation needed" and "What does that mean?" Turns out the words were just lifted from the article at threatpost.com which was just as poorly written, and also only includes one link -- to another page on the same site. That original article simply describes a method of carrying out a DDOS attack by paying for some ads then using javascript (could even be html) on those ads to contribute to the DDOS. Cheap, not fancy, put would work if someone is stupid enough to pay ransom for getting their web site back up.
  The other article, linked to in the summary, piles a shitload of hyperbole, unsubstantiated claims and bullshit on top of that, and then gets someone to link to it here. Nothing substantiated about Android, SMS, or anything else. There is no link to Palo Alto Networks, but I googled them. There is nothing about this on their web site that I could find quickly. Nothing.
  What we have here is a completely fabricated story posted on Slashdot because someone wanted to post a story, I guess, and the editors didn't even get suspicious about the obviously wrong article and click on the one link there. Slashdot, you are sometimes great, but you would be more consistently great if the editors just spent a few more minutes with the content. Like reading the articles. This was just fucking awful.
  
  --
  The subject who is truly loyal to the Chief Magistrate will neither advise nor submit to arbitrary measures (Junius)
Android by Anonymous Coward · 2013-08-12 08:57 · Score: 4, Funny

The only unix-based platform riddled with security issues, viruses and trojans problems.
1. Re:Android by lister+king+of+smeg · 2013-08-12 10:32 · Score: 1
  
  oh the unix like part is fine it is the Java vm that like in many other software stacks is the root of the problem.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
2. Re: Android by ArcadeMan · 2013-08-12 10:40 · Score: 1
  
  Popularity != Vulnerability.
  Stop spreading FUD.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
3. Re:Android by Nerdfest · 2013-08-12 11:03 · Score: 1
  
  Out of curiosity, has anyone here actually run into any Android malware? Most of the people I know have been using Android for quite some time and nobody has encountered any (but they do tend to tick to the Play or Amazon stores).
4. Re: Android by Impy+the+Impiuos+Imp · 2013-08-12 20:40 · Score: 2
  
  Popularity maps to number of attackers in an exponential curve.
  Obscurity =/= hardening against hacking, and one does not properly derive confidence for the security of one's system when it is attacked at 1/1000th another system's attack load.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Advertising has ran amok... by rts008 · 2013-08-12 09:03 · Score: 1

Yet another good reason to avoid ads, and ignore those you can't avoid.

--
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Re:FAIL by peragrin · 2013-08-12 09:10 · Score: 2

um android is generally found on tablets. Keyboards generally don't apply.
this is either an ID10T or MUE(Moronic User Error) depending on your point of view.

--
i thought once I was found, but it was only a dream.
cross-site attacks by girlintraining · 2013-08-12 09:10 · Score: 5, Insightful

Advertising on the internet is the most common route for malware by far. That's why I install ad blocking software everywhere. Marketers whine and complain about lost revenue and try to guilt you by saying they need that revenue to run the sites "for free"... but the truth is the way most advertising networks operate allow for "dancing, singing" ads -- that is, injectable javascript. Everything in the marketer's world these days is about using java to track, probe, manipulate, etc., web pages, with pop-overs, pop-unders, drive-bys, side to side scrollers, sound, motion, and anything else to get your attention.
None of this would be a problem if they stuck to fixed-size IMG tags and graphics. In other words... marketing is a virus. It's the plague. It's not the browser's fault... it's these asshole profiteers who try to be endlessly creative in force-feeding people crap they don't want.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:cross-site attacks by TheDarkMaster · 2013-08-12 09:39 · Score: 2
  
  Read before comment... The problem is not the idea of ads itself, is how is implemented.
  
  --
  Religion: The greatest weapon of mass destruction of all time
2. Re:cross-site attacks by Anonymous Coward · 2013-08-12 09:39 · Score: 1
  
  It's true. Adblock+ is security software. Much better than any firewall or AV package I might ad.
  Ad vendors are scum and often lack diligence. Why? Because money that's why.
  Ad networks are vulnerable and are frequently hijacked because one ad network reaches out to a huge attack surface. (You get to touch every single user on every web page that that ad network uses)
3. Re:cross-site attacks by dpidcoe · 2013-08-12 09:59 · Score: 1
  
  Since only 1 out of 5 letters has been mangled, wouldn't "galse" be like "false" except with 20% more typos?
4. Re:cross-site attacks by tlhIngan · 2013-08-12 10:00 · Score: 2
  
  Advertising on the internet is the most common route for malware by far. That's why I install ad blocking software everywhere. Marketers whine and complain about lost revenue and try to guilt you by saying they need that revenue to run the sites "for free"... but the truth is the way most advertising networks operate allow for "dancing, singing" ads -- that is, injectable javascript. Everything in the marketer's world these days is about using java to track, probe, manipulate, etc., web pages, with pop-overs, pop-unders, drive-bys, side to side scrollers, sound, motion, and anything else to get your attention.
  Except well, how do you expect developers to eat?
  Remember, the ad is loaded by the app, and given Android's fairly limited ways of monetization, developers would like to make some money back. If not through a 4rd party ad network, then through siphoning your user data off the phone to their servers.
  At least on iOS, there's a decent chance to make money without ads, but on Android, it's a lot more iffy. Ads pretty much the only way to beat iOS at the revenue game.
5. Re:cross-site attacks by girlintraining · 2013-08-12 10:26 · Score: 3, Insightful
  
  Except well, how do you expect developers to eat?
  I suppose the same way everyone else does: By providing a good or service in exchange for monentary compensation. I know, it's an outmodded concept in the Web 2.0 way of thinking... but There Ain't No Such Thing As A Free Lunch. Advertising is not required for the survival of the species nor is its absence detrimental to long-term economic growth and stability.
  
  Remember, the ad is loaded by the app, and given Android's fairly limited ways of monetization, developers would like to make some money back. If not through a 4rd party ad network, then through siphoning your user data off the phone to their servers.
  I would ask you whether Linux requires monetization of its applications in order to be useful, or that developers are not compensated in other ways. Short answer: Yes.
  
  Ads pretty much the only way to beat iOS at the revenue game.
  Call me old fashioned, but the way to beat someone at a game is to play it better than they do. It's called competition, and if you provide a better product or service, then in a fair and open market, you should win. If this isn't true, then the problem is with the market, your perception of it, or with external forces.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:cross-site attacks by O-Deka-K · 2013-08-12 10:47 · Score: 1
  
  No. It's the word "more", which is confusing when used with percentages.
  A word with 6 typos would have "20% more typos" than a word with 5 typos. However, this is in itself disputable, because even if a word has more than one error in it, we often just say "it's a typo" instead of "it has 5 typos in it". For instance, if you transpose two letters by mistake (e.g. "flase"), do you say it has 2 typos in it? I know I don't.
  Even if we accept the premise that each incorrect letter counts as one "typo", then you would say that "galse" has "20% typos", not "20% MORE typos".
  The poster's logic is this:
  "false" has 0 typos in it.
  "galse" has 1 typo in it.
  Since 1 is 100% more than 0, it has "100% more typos".
  However, this is incorrect. 1 is NOT 100% more than 0. (1 - 0) divided by 0 is infinite. For it to be true, "false" would have to have 1 typo in it. Since "galse" differs by only 1 letter, this means that it has 2 typos in it, and therefore "100% more typos". Unfortunately, it makes no sense to say that.
  Therefore, the poster's logic is galse.
7. Re:cross-site attacks by syockit · 2013-08-12 15:54 · Score: 1
  
  *sigh* okay. Galse, like false, except with infinitely more typos!
  
  --
  Democracy is for the people; you only vote once per season and we'll do the rest of the work for you don't have to.
8. Re:cross-site attacks by TheDarkMaster · 2013-08-12 16:14 · Score: 1
  
  Value my friend, value. If the app is paid but is useful, does the job properly, are reasonably priced and easy to pay, people buy . Basic Economics 101, lesson that most CEOs and "I want easy money NOW" do not go.
  
  --
  Religion: The greatest weapon of mass destruction of all time
9. Re:cross-site attacks by sjames · 2013-08-12 19:37 · Score: 1
  
  Find a way to display tasteful ads responsibly?
The Matrix by ArcadeMan · 2013-08-12 09:18 · Score: 4, Insightful

Marketing is a disease, a cancer of the Web, it is a plague, and blocking software is the cure.

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:The Matrix by Errol+backfiring · 2013-08-12 19:52 · Score: 1
  
  No, that's a bug. But luckily, you can fix that bug.
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Re:FAIL by Dancindan84 · 2013-08-12 09:22 · Score: 4, Funny

Problem
Between
Kindle
And
Chair?

--
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
I described this two weeks ago, /.rs said impossib by raymorris · 2013-08-12 09:32 · Score: 2

> the app will then wait until the user is trying to install another app and will pop up an extra dialog box asking for permission

A couple of weeks ago when I described this attack, some commenters said it was impossible - an app can't wait until the user was expecting a permission prompt from a different app, then request more permissions itself, they said.

I wonder if they still think it's impossible now that it's publicly reported to be in the wild.
Re:FAIL by technix4beos · 2013-08-12 09:58 · Score: 1

There are virtual keyboards on tablets.

--
user@host$ diff /dev/urandom /dev/uspto
Re:I described this two weeks ago, /.rs said impos by mattack2 · 2013-08-12 10:00 · Score: 1

So Android apps aren't in a sandbox? Why does an app get a notification that another app is being installed AT ALL?
"It's working! Neville - It's working..." by Anonymous Coward · 2013-08-12 10:18 · Score: 2, Interesting

I avoid ads totally (especially malscripted ones) via hosts files:
---
APK Hosts File Engine 9.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
---
Yes, even on an android smartphone
(Via ADB/Android Debugging Bridge & its PULL command, but use smaller optimized hosts there folks - not much room, shitty caching (sorry google, it's true)).
As long as attacks = host-domain name based (most are, like 99%, especially via "immortal" fastflux + dynDNS malware the majority/prevalent type out there vs. IP addressed ones).
Hosts files do more with less in a single file & at a faster privelege level (ring 0/rpl0/kernelmode) than redundant crippled by default browser addons (that slow up already slower ring 3/rpl 3/usermode browsers & are advertiser owned (Ghostery/Adblock "foxes guarding your henhouse")).
"Less is more" = GOOD engineering via less complexity, room for breakdown, & less "moving parts"/variables in the equation.
"The premise is, quite simple: Take something designed by nature & reprogram it to work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"
Since "They're not gonna stop..." - Dr. Robert Neville "I AM LEGEND" @ that film's near termination...
APK
P.S.=> Hosts work by acting as a filter for the IP stack itself (written in C language & starts with the OS + 1st request to the internet it is the 1st resolver queried as well, with over 45++ yrs.of optimization refinement put into it).
Hosts also aid reliability vs. downed DNS & protect vs redirected DNS servers also securing you vs. known bad hosts-domains online http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 & . Hosts files give users of them good benefits in added speed, security, reliability & even added anonymity (to an extent), all enumerated in the link to my program above, in detail...apk
Re:Her Android phone? by immaterial · 2013-08-12 10:26 · Score: 1

The correct gender neutral word is "their" instead of "his" or "her," and "they" instead of "he" or "she." Historically I think the male form was the standard generic term, but of late the obvious sexism inherent with that has led people to say things like "his or her" and "s/he" -- or just randomly using both "his" and "her" in the course of their writing. All those are silly, IMO, since we have the neutral words their and they (some people don't like these because they think those words must be plural, but that is not correct).
How does this happen? by Okian+Warrior · 2013-08-12 14:26 · Score: 1

... in order to sign the victim up for some premium-rate SMS services.
The fuck?
Why the hell doesn't the FTC shut these companies down? Why doesn't the FCC kick the carrier's behind into policing these companies better? Why doesn't the US attorney's office rain hellfire and brimstone down on these companies to the extent it did to Aaron Schwartz?
Premium SMS is billed through the carriers, so they have a relationship with the SMS company. There is a clear money trail. The recipient is most likely incorporated. This should be easy.
With all the US mistrust of government right now, this would be an easy way to gain some respectability.
Good thing I have sprint by IwantToKeepAnon · 2013-08-13 01:21 · Score: 1

Good thing I have sprint, I never get any signal for the virus to send SMS messages, and forget about signing up for any services (useful or not). :/

--
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy