Over 200m Android devices exposed to buggy AppLovin ad library

Researchers are urging Android app developers who use in-app advertising tools from ad network AppLovin to update their apps and protect end users from serious security risks in the company’s ad library.

Potentially hundreds of millions of Android devices are exposed to remote attacks due to buggy versions of an ad library from AppLovin, a popular ad network whose vulnerable ad libraries may be in 200 million apps installed on devices from Google Play .

Researchers at security firm FireEye on Sunday urged Android developers that use versions 3.x, 4.x and 5.0.x of AppLovin’s ad library to update to version 5.1 of the company’s software, which fixes security issues that could allow attackers to steal information or manipulate data on devices.

In-app advertising can help developers cover the cost of their ‘free’ apps but they can also be abused by attackers. When an end-user clicks on an ad served up inside an app, the network behind the ad pays the app maker. To enable this, the developer bundles an ad library from the ad network in their app.

But researchers have previously highlighted problems with the practice. The ad library itself can introduce privacy risks by piggy-backing on permissions a person gave to the host app, allowing the ad network for example to use the device’s GPS to track the user’s location.

And, depending on host app’s design, the ad library can also lead to other security risks for the device that apps that carry the ad library are installed on.

FireEye’s researchers in October raised an alarm over an ad-network it named “Vulna” -- which on Sunday it revealed was AppLovin -- highlighting the library’s aggressive behaviours such as the ability to collect data about device identifiers and its location. While these capabilities were not atypical to ad networks, it could also, at the company’s discretion, read text messages, phone call history, contact list and use the host app to download and execute code on the device.

Since AppLovin didn’t encrypt commands to apps or encrypt details from the app to its own servers, attackers could use the platform to control a device’s hardware features, depending on permissions the app was given. The researchers noted: “many host apps containing Vulna have powerful permissions that allow controlling the camera; reading and/or writing SMS messages, phone call history, contacts, browser history and bookmarks; and creating icons on home screen.”

Attackers could directly target the device itself or use AppLovin’s infrastructure to attack devices. For example, it was possible to use the vulnerabilities in the ad library to hijack a device when it is connected to a public Wifi network. Alternatively, a hacker could attack the ad-network itself, causing its servers to redirect in-app ads to a site under the attacker’s control.

The good news, according to FireEye, is that because some apps have been updated or removed, installs of apps that contain the vulnerable ad library have dropped markedly since 20 September, from, just 400m to just over 200m on 16 November.

However, the researchers note, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices.

Tags Androidmobile security

1 Comment

Adam Foroughi

1

I want to address the concerns that this blog has brought up and offer up the steps we took to address these concerns. We first learned of the issues with our SDK on July 24th, when a security firm notified me (Adam Foroughi, CEO of AppLovin) to let us know that our Android SDK had a couple security vulnerabilities.

They highlighted 2 key areas of vulnerability:

• A remote update feature
• Calls that give the code access to user data

My team and I took immediate action and released a new Android SDK version 5.1 on 8/1/13 that fixed these issues. I've posted a detailed blog post to highlight the steps we’re taking to fix the situation on our blog: http://blog.applovin.com/2013/11/21/applovin-security-notice/.

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Security

Safeguard your corporate and roaming employee endpoints and mobile devices.

Latest Jobs
Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.