Over 200m Android devices exposed to buggy AppLovin ad library

Researchers are urging Android app developers who use in-app advertising tools from ad network AppLovin to update their apps and protect end users from serious security risks in the company’s ad library.

Potentially hundreds of millions of Android devices are exposed to remote attacks due to buggy versions of an ad library from AppLovin, a popular ad network whose vulnerable ad libraries may be in 200 million apps installed on devices from Google Play .

Researchers at security firm FireEye on Sunday urged Android developers that use versions 3.x, 4.x and 5.0.x of AppLovin’s ad library to update to version 5.1 of the company’s software, which fixes security issues that could allow attackers to steal information or manipulate data on devices.

In-app advertising can help developers cover the cost of their ‘free’ apps but they can also be abused by attackers. When an end-user clicks on an ad served up inside an app, the network behind the ad pays the app maker. To enable this, the developer bundles an ad library from the ad network in their app.

But researchers have previously highlighted problems with the practice. The ad library itself can introduce privacy risks by piggy-backing on permissions a person gave to the host app, allowing the ad network for example to use the device’s GPS to track the user’s location.

And, depending on host app’s design, the ad library can also lead to other security risks for the device that apps that carry the ad library are installed on.

FireEye’s researchers in October raised an alarm over an ad-network it named “Vulna” -- which on Sunday it revealed was AppLovin -- highlighting the library’s aggressive behaviours such as the ability to collect data about device identifiers and its location. While these capabilities were not atypical to ad networks, it could also, at the company’s discretion, read text messages, phone call history, contact list and use the host app to download and execute code on the device.

Since AppLovin didn’t encrypt commands to apps or encrypt details from the app to its own servers, attackers could use the platform to control a device’s hardware features, depending on permissions the app was given. The researchers noted: “many host apps containing Vulna have powerful permissions that allow controlling the camera; reading and/or writing SMS messages, phone call history, contacts, browser history and bookmarks; and creating icons on home screen.”

Attackers could directly target the device itself or use AppLovin’s infrastructure to attack devices. For example, it was possible to use the vulnerabilities in the ad library to hijack a device when it is connected to a public Wifi network. Alternatively, a hacker could attack the ad-network itself, causing its servers to redirect in-app ads to a site under the attacker’s control.

The good news, according to FireEye, is that because some apps have been updated or removed, installs of apps that contain the vulnerable ad library have dropped markedly since 20 September, from, just 400m to just over 200m on 16 November.

However, the researchers note, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile securityAndroid

More about FireEyeGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place