FireEye discovers rapidly growing class of mobile threats

FireEye researchers have discovered a rapidly growing class of mobile threats affecting at least 200 million users

FireEye researchers have discovered a rapidly growing class of mobile threats represented by a popular ad library affecting apps that have been downloaded more than 200 million times.

The ad library is described as “aggressive” in collecting sensitive data and is able to perform dangerous operations such as downloading and running new components.

If instructed by its server, the ad library will collect sensitive information such as text messages, phone call history, and contacts.

Mobile ad libraries are third-party software included by host apps to display advertisements.

Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, FireEye has not identified it.

Referring to the ad library instead as “Vulna”, the researchers said it contains various classes of vulnerabilities that could enable attackers to turn its aggressive behaviours against users.

For example, Vulna could be used for malicious activity, such as turning on the camera and taking pictures without a user’s knowledge, stealing two­factor authentication tokens sent via text messages, or turning the device into part of a botnet.

More on mobile threats

Attackers could also eavesdrop on Vulna’s traffic when a mobile phone is connected to a public Wi-Fi hotspot and inject malicious code or modify the Domain Name Server records of Vulna’s ad servers to redirect visitors to their own control servers to collect information or inject code.

Of all the Android apps with over one million downloads on Google Play, 1.8% were found to have used Vulna.

Vulna and other third-party vulnerable and aggressive libraries, components and apps are proprietary, making it difficult for developers to see underlying security issues, said researchers.

Consequently, legitimate apps using these elements present a serious threat to businesses, they said.

Despite the severe threat it poses, Vulna is stealthy and hard to detect, said the researchers, because it receives commands from its ad server using data encoded in HTTP header fields instead of the HTTP response body and it obfuscates its code, making analysis difficult.

FireEye said it has informed both Google and the supplier of Vulna about the security issues discovered by its research team.

Read more on Endpoint security