Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Android Advertising Security Wireless Networking

Mobile Ads May Serve As a Malware Conduit 79

alphadogg writes with this excerpt from Network World: "Many mobile apps include ads that can threaten users' privacy and network security, according to North Carolina State University researchers. The National Science Foundation-funded researchers studied 100,000 apps in Google Play (formerly Android Market) and found that more than half contained ad libraries, nearly 300 of which were enabled to grab code from remote servers that could give malware and hackers a way into your smartphone or tablet. 'Running code downloaded from the Internet is problematic because the code could be anything,' says Xuxian Jiang, an assistant professor of computer science at NC State."
This discussion has been archived. No new comments can be posted.

Mobile Ads May Serve As a Malware Conduit

Comments Filter:
  • by iserlohn ( 49556 ) on Tuesday March 20, 2012 @12:29PM (#39414667) Homepage

    Please buy our products!

    • 0.3% odds of downloading one of these apps. I am not worried. Especially since I rarely download apps (I prefer mpg, mp3, and txt files via torrent).

    • Is there any evidence these products are needed for iOS, or that "free" iOS apps containing these kinds of vulnerabilities slip through the approval process?

  • on an android system level?

    etc/hosts, or dns blacklists?

  • by Anonymous Coward

    Isn't there a way to sandbox the process running the ads?

    • You mean sandbox the app itself as it calls the ad library which execute the remote code? But you've already granted that app the permissions necessary to do bad things!

    • Why not just *not install* these fucking skeezy apps? I see so many replies on how to block the functionality instead of just not infecting your phone in the first place, it's pretty sad.

  • ad block effect (Score:5, Interesting)

    by vlm ( 69642 ) on Tuesday March 20, 2012 @12:33PM (#39414743)

    I suspect the "ad block effect" that I'm used to from years of firefox will exist on android very soon. "(shock amazement) Thats what the unfiltered internet looks like now? how can anyone use that? (insert more shock amazement)"

    • Having used Adblock Plus on Firefox for a number of years I don't really know what the unfiltered internet looks like. Whenever I am forced to use IE I have to experience it however briefly.
      I know people who use IE exclusively which I can't imagine.
      How many blinking ads can you stand? Darned few!
      We badly need a way to support Adblock Plus on Android and on IE, or at least their filter list subscriptions.
      IMHO Firefox has some pretty serious issues today, I would dump it except for Adblock Plus.
      • by Anonymous Coward

        Chrome has an Adblock extension that works really well.
        You can even tell it to block Google's text ad's (though I don't, as sometimes they are quite hilarious).

        • I know Google Chrome has an adblocker, it might use the same maintained blocking lists that Adblock Plus uses. If so I would really recommend it for Chrome users.
          But Google Chrome is too minimalist for me, I like all the menubars and controls that Firefox has.
          That said, I don't like the new Firefox as well as I liked the old version with again, more menubars and controls. Heh.
          But I am an old guy.
      • It is a jarring experience when you lose adblock. Was dicking around with chromium and managed to break my plugins a few months ago. It had literally been years since I had seen the unfiltered net... yuk :)

  • I really didn't want to root my Gnex and lose all my settings and such, but it looks like I may have to anyways. Wonderful.

    • You shouldn't lose anything if you root your stock device. Installing a new rom will of course wipe everything. However, root allows you to truly backup everything on your device. (Check out TitaniumBackup once you root.)

      • Unfortunately, unlocking the bootloader on a Gnex, while very simple to do, will wipe the /sdcard/ partition. Security feature, apparently.

        • The sdcard is the one thing that's trivial to backup - root or no-root! As it's removable, remove it and copy it.

          • Actually, I have TitaniumBackup write to /sdcard then I mount the device over USB mass storage (though I hear that'll be removed in future versions) and rsync everything just like a regular rsync backup script (--link-dest hard links and all that jazz).

  • by KiloByte ( 825081 ) on Tuesday March 20, 2012 @12:38PM (#39414815)

    Wasn't it the case just several years ago that "adware" and "malware" were considered to be mostly synonyms? I don't see why, just because the plarform changed, they would behave any differently. You're back to the Bonzi Buddy "goodness".

    I just stay away from any "App Stores" and "Foo Markets". A Debian chroot (when there are no native builds) means the code I run can be trusted.

    • You have Debian running on a modern mobile device? Do tell!

      And by "running" I mean "with full telephony functionality".

      A Nokia N9 or N900, maybe, I could see. But those aren't representative of "modern mobile device".

      • You can install Debian in a chroot on most Android devices. I do use an N900, though, instead of a "modern" device -- there is nasty memory pressure, but the input dev runs circles around anything droid. You do need to beat it a bit to get basics including keys like [ ] ESC PgUp and so on, but once you're there, it's on par with most laptops. That's worlds behind a desktop with a mouse and a good ergonomic keyboard, of course.

      • by wanzeo ( 1800058 )

        There was a very detailed thread here a while back (which I am too lazy to find) where someone explained why you can't get Debian running on a "modern mobile device". It basically involves the vast fragmentation of platforms, and the lax GPL adherence to include SOC firmware source when shipping with the kernel. You would basically have to go to China and bang on doors to get what you need.

        However, I have a theory that this fragmentation is just a result of the rapid growth of mobile ARM devices. Once it ge

  • that's the real solution. It was only a matter of time... this type of exploit (and others to come no doubt) are the strongest argument for blocking ads.

    If you want people to buy your app, create a good app and provide a malware/adware/shareware free/lite version of it. If it is a good app then people will buy it. You piss people off before they have a real chance to test your app then you stand to lose that customer. Those that do not buy your app after trying it would not buy it under any circumstance.
    • The "shareware" belongs with "free/lite" above and should read "malware/adware free shareware/lite version"... my eyes are playing tricks on me!
    • by tlhIngan ( 30335 )

      If you want people to buy your app, create a good app and provide a malware/adware/shareware free/lite version of it. If it is a good app then people will buy it. You piss people off before they have a real chance to test your app then you stand to lose that customer. Those that do not buy your app after trying it would not buy it under any circumstance. I will continue to block apps as long as I have a means to do so. And, I will continue to buy apps from those DEV's that actually create good apps and prov

  • by Anonymous Coward

    Mobile ads are just like traditional website ads? A massive infection vector?
    Poorly secured servers that touch millions of individual hosts across millions of different sites, by design?
    Scummy ad vendors that don't care that they're linking to dropper sites?

    Yeah, not suprised. You can't trust ad vendors at all.

    Ad-Aware and other ad blockers are really security products. Blocking ads is just a pleasant side effect.

  • For years I've been telling fellow mobile developers that in exchange for ad revenue - or even for usage statistics - they're giving up AT MINIMUM the privacy of their users -- something which isn't theirs to give up in the first place. As ad libraries grow more complex, it's certainly no surprise to learn that there's more than privacy at stake.

    When you incorporate libraries that give up part of your control over your application, you can also be certain that you're giving up your users' control over thei

  • I can only speak for Android, since I don't own an iDevice, but the market is so saturated with ad-driven apps that it reminds me of windows some years ago, where everything was adware or shareware.
    Being from a Linux world where you get pretty much free (in both meanings) access to tools and programs, check/edit the source and other things, Android feels like a wild jungle, so closed and just feels like it's kind of hostile to the user, somehow.
    Besides, you are getting ad-based versions of paid apps as "FRE

    • by jo_ham ( 604554 )

      It's similar on iOS too - there are a large number of ad-supported free apps, often just direct duplicates of the paid version and listed as "(app name) Lite" or "(app name) Free". It's a strong encouragement to upgrade to the paid version if you like the app and are annoyed by the ads (some more obnoxious than others).

      Ironically, some apps make more money for the developers as free, ad-supported than they do as paid apps. It's probably due to volume of "sales" of the free apps though.

      As far as I know there

    • by mcelrath ( 8027 )

      I've been sorely disappointed with the Android Market/Google Play. First, the ads are a throwback to the punch-the-monkey style ads. They're invasive blinking colorful shit that takes up valuable screen real estate on a small screen, and suck your bandwidth and battery. You're paying not only with the mind virus they install, forcing you to look at them, but also with your bandwidth and power bills. Second, the app market seems to be full of half-finished weekend projects. Very few of the apps in the m

      • 1) Require that anything in the android market have its source uploaded to a Google repository.

        Goodbye Angry Birds, and EA...

        Have all apps compiled by Google.

        As a developer I am greatly dismayed by the idea that I may have to fix bugs introduced by Google messing up compiler settings.

        Give the ad library a "master switch" to turn off ads in an app, in exchange for an amount of money commensurate with the proceeds from ads. Therefore all ad-based apps can become no-ad apps in a uniform way.

        That's not a bad i

        • by mcelrath ( 8027 )

          You're right on most of that. Oh well, ad-blockers for half-finished weekend projects it is... and using Android will continue to be a miserable experience.

          P.S. I think I've been isolated, using only FOSS since about 1995. Android was my first re-introduction to the bad-old-world of closed source. It's a chaotic shit-show and I hate it.

          P.P.S. I thought everyone on Android was using Google's AdMob? Which made me think Google could force some improvements to the situation...

  • by DrXym ( 126579 ) on Tuesday March 20, 2012 @01:26PM (#39415521)
    I use AdMob as my ad provider (consequently bought out by Google) and feel reasonably confident that they vet their ads and the chance of malware is is relatively low risk. Even if one slipped past my app only runs with internet permissions which limits what it could do. The most dangerous thing an ad might do is take a user out of my app into a web browser and from their somehow their phone is infect. But I'm being as responsible as I can to avoid that.

    This isn't pure altruism but simply because I don't want my app tainted by scummy annoying ads or malware. I get a lot of spam from alternative ad providers with a hook such as I can earn 10x as much money by using their service. But a cursory glance at their marketing blurb leads me to conclude that their business is usually derived from enticing users to take surveys, 30 day trials and run other apps and all with far broader permissions such as read/write from SD, GPS location and so on. One advertiser worryingly also says they install "ad icons" on the user's phone meaning that my app would have to have ask for a pile of permissions just to enable this crap and it wouldn't be for the user's benefit.

    So as a responsible developer I stick with AdMob. But I can see how the danger is there. My advice for end users is only install apps which ask for a minimal set of permissions and uninstall apps which start serving annoying or dodgy content. Perhaps it won't stop attacks occurring but at least it means they won't be occurring for people exercising some restraint and common sense.

  • by Anonymous Coward

    Take a look at the author's blog on Networkworld (click on his alphadogg tag in the byline). Mostly "i"thing announcements. Gee, I wonder if his "research" is skewed.

    He's really confusing 3 things in the article:
    1) Ads have the same permissions as the app itself. However, HTML has no provisions to access the filesystem automatically. It would only have access to your GPS should the originating app also have permission.

    2) Downloading code? Downloading HTML is practically harmless to the running state of

  • I immediately thought of Saren saying "One step closer to finding the conduit." Been playing too much Mass Effect :)
  • The vast majority of posts I see point out the obviousness of rooting your phone and running any of a number ad-blockers and how great they are. That's no different than someone responding to a regular Joe's desktop Linux complaint with a "Duh, change your config, rebuild your kernel and move on....". You've just lost the average person who might otherwise be interested in playing. The VAST majority of Android users have absolutely no ability or interest in having to "root" their phone, finding a good ad

Bell Labs Unix -- Reach out and grep someone.