This presentation by Karine de Pontevès and Axelle Apvrille (Fortinet) was presented at VB2013 in Berlin, Germany. https://www.virusbtn.com/conference/vb2013/abstracts/PontevesApvrille.xml
Note: we apologise for the poor quality of the video. You can view the original slides here: https://www.virusbtn.com/pdf/conference_slides/2013/dePontevesApvrille-VB2013.pdf
Android captured 70% of smartphone shipments in the December quarter of 2012. With this explosion, Android has become the world’s biggest magnet for smartphone applications – and mobile malware.
Individuals and organizations who develop legitimate applications benefit financially either by selling them, or by embedding advertisement kits. Building free, ad-supported apps helps developers side-step the hassle of the Google Checkout flow, hence becoming the most popular form of monetization.
In this paper, we focus on the security risks and inefficiencies posed by ad-kits. And more particularly those embedded into malware. To this end, we study the Android platform, and 90,000 malware samples. We identify 10 representative ad-kits. We further develop a system called ‘Droidlysis’ to examine potential risks, ranging from uploading sensitive information to remote servers, to downloading and executing untrusted code. We analyse ad traffic and identify sensitive data transmitted over the air.
Our results show that most ad-kits not only collect private information, but probe for data and permissions beyond the ones listed in their documentation. We discover how users can be tracked by an ad provider across applications, and by a network sniffer across ad providers. Finally, we discuss the financial implications for developers and ad providers.