Security Week 29: system advertising in Android

Last week, Kaspersky Lab experts published big report on unwanted adware on Android smartphones. This is not the first publication on the topic: in May, for example, company experts investigated Intrusive ad software found on the Google Play app store. But if in that case the ads disappeared with the removal of the program, then now we are talking about tenacious adware.

There are two ways to forever make a smartphone owner annoying with ads. In the first case, the application registers the advertising load in the system section, cracking the smartphone using one of the methods for obtaining root rights. The second option – advertising is already built into the phone by the manufacturer: most often this happens with inexpensive devices. According to Kaspersky Lab, up to 15% of users who encounter adware are dealing with system adware. In addition to intrusive banners, most modules can download anything to the user’s smartphone, including malware.

The functionality of some modules is impressive. For example, is embedded in the system application responsible for rendering the interface, which, in principle, cannot be deleted while maintaining the phone’s functionality. The Trojan investigated in April does the same. xHelper. Trojan.AndroidOS.Sivu.c closes banners with legitimate applications or the home screen, shows ads in notifications, but can also download and install arbitrary code on a smartphone. Trojan-Downloader.AndroidOS.Facmod.a is built into the SystemUI module, it is present by default in some smartphones, it can invisibly open a browser and load pages with advertising.

The report also mentions “advertising modules from manufacturers”. In particular, such a business model applies in a number of models, Xiaomi. Similar functions were found in Meizu smartphones, but the ad module there, in addition to the usual demonstration of banners, could load and execute JavaScript code.

The study also analyzes other dubious pieces of code found on Meizu smartphones. The general conclusion is this: it can be assumed that the advertising business model has the right to life, but in some smartphones the code responsible for this is simply dangerous. At a minimum, the vendor can use it to profit from displaying banners, installing sponsored applications, and more. But if attackers gain access to the advertising network in some way, banner features easily turn into a backdoor.

It is also worth mentioning fresh study Malwarebytes: its specialists found a backdoor on a smartphone with Android 7.1 built into the settings management application. The set of functions is very similar to the one described above: downloading applications, showing ads, communicating with the command center for complete control of the device. The investigated smartphone is cheap, it is used by the government agency, which distributes devices among the poor. In this and other cases of a factory backdoor or adware, users can only hope for enthusiasts to release custom firmware.

What else happened

Check Point Software Specialists are exploring the Joker Trojan, which systematically pops up on Google Play. In January of this year, the store’s moderators removed 17 thousand applications, weighed down by malicious code, but they periodically return in a slightly modified form.

Report (newssource in Pdf) on the security of routers of the German Fraunhofer Institute. We examined 127 devices, vulnerabilities were found in all, an average of 53 critical problems in each.

In the Zoom client for Windows found and closed the critical vulnerability in the next version 5.1.3. Details have not yet been disclosed, but the video above shows PoC.

Study vulnerabilities in TP-Link Casa IP cameras. Nothing serious, but the implementation of the web interface for managing devices allows you to identify user logins and then try to find a password, for example, from numerous leaks.

Critical vulnerability in the Adning plugin for WordPress-based sites.

Another set of vulnerabilities was discovered and shut down in the Citrix Application Delivery Controller and Citrix Gateway software.

Interesting study Vulnerability in Facebook, allowing to remove any photo of any user.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *