Researchers are urging Android app developers who use in-app advertising tools from ad network AppLovin to update their apps and protect end users from serious security risks in the company’s ad library.
Potentially hundreds of millions of Android devices are exposed to remote attacks due to buggy versions of an ad library from AppLovin, a popular ad network whose vulnerable ad libraries may be in 200 million apps installed on devices from Google Play .
Researchers at security firm FireEye on Sunday urged Android developers that use versions 3.x, 4.x and 5.0.x of AppLovin’s ad library to update to version 5.1 of the company’s software, which fixes security issues that could allow attackers to steal information or manipulate data on devices.
In-app advertising can help developers cover the cost of their ‘free’ apps but they can also be abused by attackers. When an end-user clicks on an ad served up inside an app, the network behind the ad pays the app maker. To enable this, the developer bundles an ad library from the ad network in their app.
But researchers have previously highlighted problems with the practice. The ad library itself can introduce privacy risks by piggy-backing on permissions a person gave to the host app, allowing the ad network for example to use the device’s GPS to track the user’s location.
And, depending on host app’s design, the ad library can also lead to other security risks for the device that apps that carry the ad library are installed on.
FireEye’s researchers in October raised an alarm over an ad-network it named “Vulna” -- which on Sunday it revealed was AppLovin -- highlighting the library’s aggressive behaviours such as the ability to collect data about device identifiers and its location. While these capabilities were not atypical to ad networks, it could also, at the company’s discretion, read text messages, phone call history, contact list and use the host app to download and execute code on the device.
Since AppLovin didn’t encrypt commands to apps or encrypt details from the app to its own servers, attackers could use the platform to control a device’s hardware features, depending on permissions the app was given. The researchers noted: “many host apps containing Vulna have powerful permissions that allow controlling the camera; reading and/or writing SMS messages, phone call history, contacts, browser history and bookmarks; and creating icons on home screen.”
Attackers could directly target the device itself or use AppLovin’s infrastructure to attack devices. For example, it was possible to use the vulnerabilities in the ad library to hijack a device when it is connected to a public Wifi network. Alternatively, a hacker could attack the ad-network itself, causing its servers to redirect in-app ads to a site under the attacker’s control.
The good news, according to FireEye, is that because some apps have been updated or removed, installs of apps that contain the vulnerable ad library have dropped markedly since 20 September, from, just 400m to just over 200m on 16 November.
However, the researchers note, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices.