How Mobile Ads Abuse Permissions
It has become an inevitable part of the Android user experience that apps will ask for a long laundry list of permissions. Many apps will ask you to grant them network access so they can download updates. Others seek permission to read your phone’s state and identity so calls won’t disrupt them from doing what they’re doing. Unfortunately, these permissions can be abused for criminal intentions.
Rise of Aggresive Mobile Adware
Aside from apps abusing user’s permission, we noted a significant rise in the number of aggressive mobile adware, as reported in our 3Q Threat Roundup Android Under Siege: Popularity Comes at a Price. Trend Micro consider these adware as “high risk”, as they pose serious threat to user’s privacy and serve as effective means to collect data, which can be used for suspicious purposes.
Recently, I was testing Android apps from Google Play and after after a simple typo, I carelessly downloaded a Flash player app. Fortunately, the installed Trend Micro Mobile Security app notified me of a dangerous app.
Downloading malware is one of my former hobbies; however it never occurred to me that I would get it unexpectedly and without warning from an official and safe source such as Google Play.
The abbreviation ADW in the detection name indicates that the danger comes from adware. My colleagues, Leo Zhang from the Mobile Application Reputation team informed me that this particular app had an adware module often used by free apps. Here is a list of the data leaked from the Android device and sent to the servers of the company behind this module:
- The device’s IP address on all interfaces (i.e., both WiFi and mobile network)
- The device’s ANDROID_ID (unique 64-bit identifier for the device)
- The Android OS version
- The user’s location, as determined by GPS
- The user’s mobile network and their country code
- The user’s phone number
- The device’s unique ID (their IMEI, MEID, or ESN)
- The device’s manufacturer and version
The adware module also gathers other information stored on the device, such as any accounts registered on the device, together with the calendar and browser bookmarks. It also displays advertising outside of the app, such as push notifications. My colleague, Hayashi Noriyaki, noted that this practice of pushing notifications e.g. displaying ads on notifications bar is an unwanted advertising method, which has been prohibited by Google.
Because of the huge amount of information leaked from the mobile device, Trend Micro considers it to be as a dangerous module, as it compromises both privacy and the device usability. Because of this, many apps in Google Play – which include the full features of the advertising module – are considered by Trend Micro as aggressive adware and accordingly detected by our products.
In this case, the paid version of FLV Player with no ads is not considered harmful at all by our Mobile Application Reputation System (MARS), unlike the free version. However, the free version has been downloaded more than a million times – unlike the paid version, with only 1,000+ downloads. With just this one app, this ad module got information from more than a million users.
7,000 Free Apps Use Aggresive Advertising Module
Based on information from MARS and Google Play, at least 7,000 free apps use this particular advertising module. 80% of them are still available, and at least 10% of them have been downloaded more than one million times.
It is not only Trend Micro that is worried about this advertising module. The Web of Trust community gave the advertising module’s servers a ”very poor” reputation score, with a highest score 17 out of 100. Community members also believe that this company is involved not just in spam (email or push notifications), but also phishing and other scams.
In addition to taking the user’s personal information, these ads also display advertising in particularly annoying ways. Either notifications or an icon on the device’s home screen are used to serve ads to users. The apps themselves may not tell the user that these Android features may be used to serve them advertising. Users may find this needlessly annoying; in addition they may be hard to remove as it’s not always clear which app was responsible for the ads.
The takeaway from all this? Users should be careful about all mobile apps they download, wherever they come from. This is particularly true for “free” apps, where in effect your information becomes payment for the app. For some people, this may be a worthwhile tradeoff – but this is something every user should decide for themselves, with a full appreciation of what is given up in return for something “free”.
To know more about our insights on mobile apps and other noteworthy online threats, you can read the rest of our Q3 Threat Roundup here.