Security Week 29: system advertising in Android
There are two ways to forever make a smartphone owner annoying with ads. In the first case, the application registers the advertising load in the system section, cracking the smartphone using one of the methods for obtaining root rights. The second option – advertising is already built into the phone by the manufacturer: most often this happens with inexpensive devices. According to Kaspersky Lab, up to 15% of users who encounter adware are dealing with system adware. In addition to intrusive banners, most modules can download anything to the user’s smartphone, including malware.
The functionality of some modules is impressive. For example, Trojan-Dropper.AndroidOS.Agent.pe is embedded in the system application responsible for rendering the interface, which, in principle, cannot be deleted while maintaining the phone’s functionality. The Trojan investigated in April does the same. xHelper. Trojan.AndroidOS.Sivu.c closes banners with legitimate applications or the home screen, shows ads in notifications, but can also download and install arbitrary code on a smartphone. Trojan-Downloader.AndroidOS.Facmod.a is built into the SystemUI module, it is present by default in some smartphones, it can invisibly open a browser and load pages with advertising.
The report also mentions “advertising modules from manufacturers”. In particular, such a business model applies in a number of models, Xiaomi. Similar functions were found in Meizu smartphones, but the ad module there, in addition to the usual demonstration of banners, could load and execute JavaScript code.
The study also analyzes other dubious pieces of code found on Meizu smartphones. The general conclusion is this: it can be assumed that the advertising business model has the right to life, but in some smartphones the code responsible for this is simply dangerous. At a minimum, the vendor can use it to profit from displaying banners, installing sponsored applications, and more. But if attackers gain access to the advertising network in some way, banner features easily turn into a backdoor.
It is also worth mentioning fresh study Malwarebytes: its specialists found a backdoor on a smartphone with Android 7.1 built into the settings management application. The set of functions is very similar to the one described above: downloading applications, showing ads, communicating with the command center for complete control of the device. The investigated smartphone is cheap, it is used by the government agency, which distributes devices among the poor. In this and other cases of a factory backdoor or adware, users can only hope for enthusiasts to release custom firmware.
What else happened
Check Point Software Specialists are exploring the Joker Trojan, which systematically pops up on Google Play. In January of this year, the store’s moderators removed 17 thousand applications, weighed down by malicious code, but they periodically return in a slightly modified form.
Report (newssource in Pdf) on the security of routers of the German Fraunhofer Institute. We examined 127 devices, vulnerabilities were found in all, an average of 53 critical problems in each.
