Mobile Ads May Serve As a Malware Conduit 79
alphadogg writes with this excerpt from Network World: "Many mobile apps include ads that can threaten users' privacy and network security, according to North Carolina State University researchers. The National Science Foundation-funded researchers studied 100,000 apps in Google Play (formerly Android Market) and found that more than half contained ad libraries, nearly 300 of which were enabled to grab code from remote servers that could give malware and hackers a way into your smartphone or tablet. 'Running code downloaded from the Internet is problematic because the code could be anything,' says Xuxian Jiang, an assistant professor of computer science at NC State."
Re:Solution (Score:5, Informative)
Don't like it? Don't use it.
So far so good with this app called "adfree". Which was free. Any /. opinions on which blockers work better? Do I already have the best? /etc/hosts file, so at the ip addrs level its blocking entire hostnames.
All its doing (so far as I know) is the 1990s desktop era technique of putting certain hostnames in the
Droid Wall (Score:5, Informative)
Got root?
An iptables front-end on Android. Droid Wall is sweet: https://play.google.com/store/apps/details?id=com.googlecode.droidwall.free [google.com]
As each android app runs as a separate uid, it makes it easy to block net access app-by-app. The problem, of course, is when the app you don't really trust needs net access for a real reason. Sometimes you can allow net access, let the app do it's thing, then revoke it so it's not background connecting all the time.
Also the ability to set some apps wifi-only and others 3G-only is pretty handy. This saves hours of battery life.
Re:Droid Wall (Score:4, Informative)
It's easily possible for apps you never ever use to leak data day after day day, downloading ads you never see. This could make you go over your allotment from your cellular carrier and they will bill you for the overage.
All for nothing.
You never even saw those cool ads you downloaded!
Root your phone and put a big hosts table in there.
But, someone will say, "If you don't let them download and show you ads they won't be able to make those cool apps for free."
Sorry, if showing ads to someone who doesn't want to look at them is your business model and it stops working, you will have to either get a business model that works or go out of business.
I have been to websites that contained a warning "You are blocking ads, you may not use our website. Unblock our ads before you come back here".
Sounds like a website to stay away from to me.
Re: (Score:1)
But Android users are notoriously cheap and don't pay for apps. So, how are developers supposed to make money? What novel business model do you suggest?
Re: (Score:3)
Actually it makes sense to pay for good apps on android. My mobile operator three.ie (hutchinson telecom) gives me free unlimited data for 30 days when I top up by 20 euro (and an extra 10 euro credit), which is good but when that 30 days expires I then start to pay for data a couple of days ago I get a text telling me i've used 5 euro odd on data. That is pretty much down to ads being downloaded.
Wouldn't I have been better off to buy the ad free version of the app rather than paying for data I didn't want
Re: (Score:1)
" Sorry, if showing ads to someone who doesn't want to look at them is your business model and it stops working, you will have to either get a business model that works or go out of business.
So very true. You can show me ads till you are blue in the face..But keep in mind,ads annoy me..You are guaranteeing yourself I will not buy your product when you annoy me.
"I have been to websites that contained a warning "You are blocking ads, you may not use our website. Unblock our ads before you come back here". Sounds like a website to stay away from to me.
Yes..You tell me to unblock and look at your stupid ads that I'd never click on anyway and I'm gone.
Re: (Score:2)
https://play.google.com/store/apps/details?id=com.mobidia.android.mdm&hl=en
It actually reset yesterday (my billing date). A lot of apps are showing <0.1MB in a day of no-use.
Big players like eBay, Google Shopper, Dropbox, BBC iPlayer have all used data and I've not used them in weeks.
Small games like checkers, reversi, chess, Go, etc, that I also haven't run, haven't used any at all.
TuneIn radio sucks the most da
Re: (Score:2)
Big players like eBay, Google Shopper, Dropbox, BBC iPlayer have all used data and I've not used them in weeks.
I can't excuse the others but I have my dropbox configured for offline sync every hour. I'm not bothered by apps using BW to transfer my data on my command.
Re: (Score:2)
LBE Privacy Guard is also a good tool on a rooted phone. I use it with DroidWall to ensure that apps that have too many permissions don't get to use them.
The downside is that it takes a little bit on boot for the LBE Privacy Guard daemon to load, but it is an excellent tool that in reality should be part of the OS.
Re: (Score:1)
LBE Privacy Guard is closed-source. I'm not big on closed-source root programs. Never mind that it's also (incoming xenophobia) written by a Chinese developer.
Re: (Score:2)
Is it possible to do the same thing with built in data manager in ICS? I know it can be configured per app so I guess the real question is, can it be set to zero?
Re: (Score:1)
Or spend the $1 on the non-free version.
The publishers of these apps aren't trying to hit you with malware, they're just trying to make a few pennies and give you something you want.
Re: (Score:2)
now what do you do when you run into the app that checks to see if it's ad network is in your hosts file(mind you only looks to see that it is there, not that it is set to something non-nonsensical)?
Re: (Score:2)
You're so clever you must cut yourself on a regular basis.
Sponsored by Symantec and McAfee (Score:3)
Please buy our products!
Re: (Score:2)
0.3% odds of downloading one of these apps. I am not worried. Especially since I rarely download apps (I prefer mpg, mp3, and txt files via torrent).
Re: (Score:2)
Is there any evidence these products are needed for iOS, or that "free" iOS apps containing these kinds of vulnerabilities slip through the approval process?
Anything like adblock (Score:2)
on an android system level?
etc/hosts, or dns blacklists?
Re:Anything like adblock (Score:5, Interesting)
Re: (Score:2)
Yes, etc/hosts exists on Android and works exactly the same as any other Linux.
There's a fine app called adaway that'll do it all for you. Obviously requires root though.
malware in ads (Score:1)
Isn't there a way to sandbox the process running the ads?
Re: (Score:2)
You mean sandbox the app itself as it calls the ad library which execute the remote code? But you've already granted that app the permissions necessary to do bad things!
Re: (Score:2)
Why not just *not install* these fucking skeezy apps? I see so many replies on how to block the functionality instead of just not infecting your phone in the first place, it's pretty sad.
Re: (Score:2)
Re: (Score:2)
I am not sure that follows. Even if every android app used google's mobile ad platform, which isn't even close to being reality, the conversion quality matters. In fact it matters a lot. Even CPM contracts are highly non linear with quality. At least they were when I was around the business in 2002ish.
PS: Looks like google currently has around 1/4 of the mobile ad space;
http://www.bloomberg.com/news/2011-12-12/google-millennial-media-take-ad-share-away-from-apple-idc-says.html [bloomberg.com]
ad block effect (Score:5, Interesting)
I suspect the "ad block effect" that I'm used to from years of firefox will exist on android very soon. "(shock amazement) Thats what the unfiltered internet looks like now? how can anyone use that? (insert more shock amazement)"
Re: (Score:2)
I know people who use IE exclusively which I can't imagine.
How many blinking ads can you stand? Darned few!
We badly need a way to support Adblock Plus on Android and on IE, or at least their filter list subscriptions.
IMHO Firefox has some pretty serious issues today, I would dump it except for Adblock Plus.
Re: (Score:1)
Chrome has an Adblock extension that works really well.
You can even tell it to block Google's text ad's (though I don't, as sometimes they are quite hilarious).
Re: (Score:2)
But Google Chrome is too minimalist for me, I like all the menubars and controls that Firefox has.
That said, I don't like the new Firefox as well as I liked the old version with again, more menubars and controls. Heh.
But I am an old guy.
Re: (Score:2)
It is a jarring experience when you lose adblock. Was dicking around with chromium and managed to break my plugins a few months ago. It had literally been years since I had seen the unfiltered net... yuk :)
Great... (Score:2)
I really didn't want to root my Gnex and lose all my settings and such, but it looks like I may have to anyways. Wonderful.
Re: (Score:2)
You shouldn't lose anything if you root your stock device. Installing a new rom will of course wipe everything. However, root allows you to truly backup everything on your device. (Check out TitaniumBackup once you root.)
Re: (Score:2)
Unfortunately, unlocking the bootloader on a Gnex, while very simple to do, will wipe the /sdcard/ partition. Security feature, apparently.
Re: (Score:2)
The sdcard is the one thing that's trivial to backup - root or no-root! As it's removable, remove it and copy it.
Re: (Score:2)
Actually, I have TitaniumBackup write to /sdcard then I mount the device over USB mass storage (though I hear that'll be removed in future versions) and rsync everything just like a regular rsync backup script (--link-dest hard links and all that jazz).
Re: (Score:2)
We're beginning to see the cracks in the Android dam
I don't think there ever was a dam- I've been able to install anything I want on my Android as long as I've had it. People will exploit devices and services whether it is Android, Windows, Mac,or Linux. That's life, and it's the risk we take to have the freedom to do what we want on our devices. Freedom isn't free, right?
Re: (Score:3)
One problem with ad libraries, which are served up via Google, Apple [emphasis mine] or other such companies, is that app users essentially give them the same access permissions as the apps themselves, allowing them to skirt standard security processes.
Re: (Score:2)
This is still a threat on iOS - ads don't just come in free apps, the browser can load them on websites too. Detecting and serving specific ads to specific hardware is trivial.
Re: (Score:1)
I am sure nobody will remember this post while they accuse you of being an Apple shill/fanboi.
Adware? Malware? What's the difference? (Score:5, Interesting)
Wasn't it the case just several years ago that "adware" and "malware" were considered to be mostly synonyms? I don't see why, just because the plarform changed, they would behave any differently. You're back to the Bonzi Buddy "goodness".
I just stay away from any "App Stores" and "Foo Markets". A Debian chroot (when there are no native builds) means the code I run can be trusted.
Re: (Score:2)
You have Debian running on a modern mobile device? Do tell!
And by "running" I mean "with full telephony functionality".
A Nokia N9 or N900, maybe, I could see. But those aren't representative of "modern mobile device".
Re: (Score:2)
You can install Debian in a chroot on most Android devices. I do use an N900, though, instead of a "modern" device -- there is nasty memory pressure, but the input dev runs circles around anything droid. You do need to beat it a bit to get basics including keys like [ ] ESC PgUp and so on, but once you're there, it's on par with most laptops. That's worlds behind a desktop with a mouse and a good ergonomic keyboard, of course.
Re: (Score:2)
There was a very detailed thread here a while back (which I am too lazy to find) where someone explained why you can't get Debian running on a "modern mobile device". It basically involves the vast fragmentation of platforms, and the lax GPL adherence to include SOC firmware source when shipping with the kernel. You would basically have to go to China and bang on doors to get what you need.
However, I have a theory that this fragmentation is just a result of the rapid growth of mobile ARM devices. Once it ge
Block Ads... (Score:1)
If you want people to buy your app, create a good app and provide a malware/adware/shareware free/lite version of it. If it is a good app then people will buy it. You piss people off before they have a real chance to test your app then you stand to lose that customer. Those that do not buy your app after trying it would not buy it under any circumstance.
Re: (Score:1)
Re: (Score:2)
I want to know if your "make my android phone a BT keyboard" will work on my phone, same goes for your 3d game, etc. No sense shelling out $5 until I know it will run.
Re: (Score:1)
Re: (Score:2)
Nobody should be supprised. (Score:1)
Mobile ads are just like traditional website ads? A massive infection vector?
Poorly secured servers that touch millions of individual hosts across millions of different sites, by design?
Scummy ad vendors that don't care that they're linking to dropper sites?
Yeah, not suprised. You can't trust ad vendors at all.
Ad-Aware and other ad blockers are really security products. Blocking ads is just a pleasant side effect.
Re: (Score:2)
it's xss by design. soo.......
No shit (Score:2)
For years I've been telling fellow mobile developers that in exchange for ad revenue - or even for usage statistics - they're giving up AT MINIMUM the privacy of their users -- something which isn't theirs to give up in the first place. As ad libraries grow more complex, it's certainly no surprise to learn that there's more than privacy at stake.
When you incorporate libraries that give up part of your control over your application, you can also be certain that you're giving up your users' control over thei
Android adware (Score:2)
I can only speak for Android, since I don't own an iDevice, but the market is so saturated with ad-driven apps that it reminds me of windows some years ago, where everything was adware or shareware.
Being from a Linux world where you get pretty much free (in both meanings) access to tools and programs, check/edit the source and other things, Android feels like a wild jungle, so closed and just feels like it's kind of hostile to the user, somehow.
Besides, you are getting ad-based versions of paid apps as "FRE
Re: (Score:2)
It's similar on iOS too - there are a large number of ad-supported free apps, often just direct duplicates of the paid version and listed as "(app name) Lite" or "(app name) Free". It's a strong encouragement to upgrade to the paid version if you like the app and are annoyed by the ads (some more obnoxious than others).
Ironically, some apps make more money for the developers as free, ad-supported than they do as paid apps. It's probably due to volume of "sales" of the free apps though.
As far as I know there
Re: (Score:2)
I've been sorely disappointed with the Android Market/Google Play. First, the ads are a throwback to the punch-the-monkey style ads. They're invasive blinking colorful shit that takes up valuable screen real estate on a small screen, and suck your bandwidth and battery. You're paying not only with the mind virus they install, forcing you to look at them, but also with your bandwidth and power bills. Second, the app market seems to be full of half-finished weekend projects. Very few of the apps in the m
Many problems (Score:2)
1) Require that anything in the android market have its source uploaded to a Google repository.
Goodbye Angry Birds, and EA...
Have all apps compiled by Google.
As a developer I am greatly dismayed by the idea that I may have to fix bugs introduced by Google messing up compiler settings.
Give the ad library a "master switch" to turn off ads in an app, in exchange for an amount of money commensurate with the proceeds from ads. Therefore all ad-based apps can become no-ad apps in a uniform way.
That's not a bad i
Re: (Score:2)
You're right on most of that. Oh well, ad-blockers for half-finished weekend projects it is... and using Android will continue to be a miserable experience.
P.S. I think I've been isolated, using only FOSS since about 1995. Android was my first re-introduction to the bad-old-world of closed source. It's a chaotic shit-show and I hate it.
P.P.S. I thought everyone on Android was using Google's AdMob? Which made me think Google could force some improvements to the situation...
As an app author I get lots of spam (Score:5, Informative)
This isn't pure altruism but simply because I don't want my app tainted by scummy annoying ads or malware. I get a lot of spam from alternative ad providers with a hook such as I can earn 10x as much money by using their service. But a cursory glance at their marketing blurb leads me to conclude that their business is usually derived from enticing users to take surveys, 30 day trials and run other apps and all with far broader permissions such as read/write from SD, GPS location and so on. One advertiser worryingly also says they install "ad icons" on the user's phone meaning that my app would have to have ask for a pile of permissions just to enable this crap and it wouldn't be for the user's benefit.
So as a responsible developer I stick with AdMob. But I can see how the danger is there. My advice for end users is only install apps which ask for a minimal set of permissions and uninstall apps which start serving annoying or dodgy content. Perhaps it won't stop attacks occurring but at least it means they won't be occurring for people exercising some restraint and common sense.
Re: (Score:2)
Another fanboy article... (Score:1)
Take a look at the author's blog on Networkworld (click on his alphadogg tag in the byline). Mostly "i"thing announcements. Gee, I wonder if his "research" is skewed.
He's really confusing 3 things in the article:
1) Ads have the same permissions as the app itself. However, HTML has no provisions to access the filesystem automatically. It would only have access to your GPS should the originating app also have permission.
2) Downloading code? Downloading HTML is practically harmless to the running state of
The Conduit (Score:1)
Most replies encouraging ad-blocker miss the point (Score:2)