Many developers around the world rely on an advertising SDK to monetise their free applications; but do you consider they could be used for malicious purposes? BitDefender researchers have already clocked an SDK which asks for far more permissions than required…
The Widdit SDK, on Android, asks for a whole host of permissions including the ability to “record audio”, “read your text messages”, and “read phone status”.
Bogdan Botezatu, Senior E-Threat Analyst at BitDefender, writes: “Among the weirdest permissions we saw are permissions to disable the lock-screen, to record audio or to read browsing history and bookmarks.”
This doesn’t mean we should point the finger at Widdit, as other examples include Vulna and AppLovin, and are likely not directly aware of the abuse potential of allowing so many permissions – instead only thinking about how easy it makes the app to be seamlessly updated with new functionality.
What they are doing, however, is ignoring Google’s “Play Store” guidelines. In which, the Android-creator states that applications should request the minimum amount of permissions possible to function efficiently.
If this wasn’t scary enough; the SDK can execute code based on events such as when the phone has rebooted, when it receives an SMS, when a call is placed, when an application is installed (or uninstalled) or when an intent occurs from the GoogleCloudMessaging API.
The SDK downloads its updates over a standard (unencrypted) HTTP connection; without even the simplest of integrity checks — leaving plenty of room for a man-in-the-middle attack.
BitDefender set up a rogue network which used a proxy to intercept the update and provide a slightly altered file with tracking capabilities; which executed without query due to the SDK’s vast amount of permissions and lack of encryption / integrity checking.
Whilst this example attack was created in a controlled environment; it only takes a public network and a widely-used advertising SDK to be exploited for malicious causes.
Give consideration to what advertising SDK you use – for your users’ sake.
What do you think about BitDefender’s findings about advertising SDKs?