Post by Gandalf
I. Introduction
On November 28, 2012, the program "Android smart phone advertising has hidden worries" broadcast by CCTV economic information network revealed some little-known but shocking scenes in the mobile advertising industry. Many mobile phone users are constantly popping up various advertisements after installing the app, which is annoying. Some apps even implant malicious code in advertisements to steal user's privacy in order to obtain user information, which seriously infringes the interests of consumers.
Up to now, is the health of mobile advertising still the same? This paper will make a brief analysis of the current development of advertising.
2、 Advertising development
2.1 Market Overview
According to the data of the 2013-2014 China mobile advertising platform industry observation report of Aimei consulting, the overall scale of China mobile advertising platform market in 2013 was 2.59 billion yuan, an increase of 144.3% year on year, and the market scale is expected to reach 22.71 billion yuan by 2018. In the face of the rapid development of mobile advertising market, the number of mobile advertising also shows a trend of explosion. According to the statistics of AVL mobile security team, the number of advertisements in 2014 reached more than 5 million, an increase of about 250 times compared with 2011. Figure 1 shows the number of advertisements captured each year from 2011 to 2014.
Figure 1 number of advertisements
2.2 profit mode
The mobile advertising platform realizes the massive advertisement delivery and management by embedding the advertisement plug-in in the mobile app, and at the same time enables the user traffic of developers to turn into the advertisement revenue, and finally forms a mobile advertising interest chain composed of advertisers, mobile advertising agents, advertising platform, app developers, mobile operators, mobile terminal manufacturers and mobile users (see Figure 2 for details).
Figure 2 Mobile Advertising interest chain
The mobile advertising platform plays an intermediate role between app developers and app advertisers. By making the ads put by advertisers more accurate and effective, users can get the information they need, and at the same time, it can improve the revenue of developers and obtain the revenue from sharing. After the advertiser releases the advertisement to the app, the following methods are generally used for billing:
2.3 presentation form
The display form of advertising pieces is constantly innovating, from the initial form of banner advertising to notice bar, screen insertion and integral wall advertising. According to the statistics of AVL mobile security team, the number of advertisements displayed by notice bar and screen insertion has exceeded that of banner advertisements. At present, the main forms of advertising are shown in Figure 3.
Figure 3 display form of advertisement
3、 Advertisement analysis
3.1 behavior characteristics
3.1.1 upload user information
While some third-party advertising platforms push advertisements to users, they collect and upload additional personal information of users. Although the purpose of the third-party advertising platform is to collect data reports such as regions, operators, mobile phone brands, etc. for advertising, it can help advertisers better understand the user characteristics of the advertising audience. However, these mobile phone information may be stolen and illegally used, which will bring adverse effects on user privacy.
According to the analysis and statistics of AVL mobile security team, 53% of the advertising materials upload mobile IMEI and IMSI, 19% of the advertising materials upload mobile geographic location, 15% of the advertising materials upload mobile number information, and there are malicious behaviors of uploading important privacy information such as address book, call record, SMS record, etc.
3.1.2 other behavior types
It is found that frequent push ads and silent downloads account for the largest proportion in other behaviors of advertising items, which will cause rogue promotion and tariff consumption to users. The behaviors that threaten the security of mobile phone are forgery, interception of SMS and silent installation. Although they account for a small proportion, they will cause serious economic losses to users. Table 3 shows other behavior types and threat levels of advertisements.
Consuming mobile traffic is one of the main behaviors of advertising. In addition to the traffic consumption generated when advertising is pushed, the volume of advertising SDK itself is also large, which will consume a lot of traffic when running. At the same time, it is found that the volume of advertising SDK will increase after updating. Even some apps will have multiple ad SDKs built in, which will cause serious consumption of users' mobile traffic.
3.2 advertising family
According to the statistics of AVL mobile security team, the most frequently used adware families are AdMob from Google and WAPs in China. Figure 4 shows the top 10 family with the most advertisements, the total number of corresponding apps and the number of apps with malicious code.
Figure 4 advertising family
3.3 application authority
Too many permissions are often applied in advertising SDKs, which may lead to the abuse of permissions. For example, the privacy rights obtained in the advertising SDK will cause the privacy of mobile users to be illegally obtained. Based on the above statistics, AVL mobile security team found that the use rights of foreign ads are about 3-4, while the use rights of domestic ads SDK are about 6 on average. Table 4 statistics of the authorities applied by the above ten advertising families:
According to the statistics in Table 4, the permissions that may cause greater security threats to users are as follows:
1) Record? Audio this permission allows the app to record at any time.
2) Camera this permission allows the app to use the camera at any time without your confirmation.
3) The access coarse location application uses these services to determine your approximate location.
4) Install? Shortcut application can install shortcuts on the desktop.
5) System? Alert? Window can display windows on other programs, suspected of rogue promotion.
4、 Analysis of malicious advertisements
4.1 types of malicious acts
The types of malicious acts in advertisements are widely distributed, covering almost all types of malicious acts. Among them, frequent push and private download cause the most typical tariff consumption. In addition, malicious fee deduction, remote control, privacy theft and other behaviors are performed in the background, which makes it difficult for users to discover. (the article "summary of advertisement" introduces the malicious behavior in advertisement in detail.)
Figure 5 malicious behavior type of advertisement
4.2 new promotion methods
In the process of analyzing the malicious code in 2014, AVL mobile security team saw a new trend: in order to improve the promotion effect, a large number of malicious apps use pornographic content as bait, constantly push various advertisements, and seek the promotion cost of app. For details, please refer to the 2014 mobile malicious pornography Application Research Report.
5、 Example: typical malicious behavior of advertising SDK
Mobile advertising platforms vary in size, good and bad. The advertising SDKs they provide do not have a unified industry standard, which brings certain risks and hidden dangers to mobile security. The following examples illustrate the typical malicious behaviors contained in the current advertising SDK.
5.1 aggregate data SDK
In early November 2014, the media exposed that the IOS version of the aggregate data SDK would secretly upload the user's address book to the server. Later, when AVL mobile security team compared and analyzed the Android version of the SDK, it found that it also had the behavior of stealing the address book, and there was no explanation for the behavior of acquiring the address book in the "Introduction to the aggregate data SDK".
Although the SDK for aggregate data has been updated in the new version, the code for obtaining the uploaded address book has been deleted (see Table 5 for details). However, it is a long process for the product side to update the SDK. The old SDK is still collecting the user address book, and the interface used to receive the uploaded address book on the aggregation data server has not been deleted, and the data can still be processed normally.
5.2 counter bank advertising SDK
Counter bank advertising SDK will create a large number of desktop shortcuts, modify user's browser bookmarks, obtain mobile devices and other information, and modify the default browser home page of the mobile phone. The detailed code screenshot is as follows:
Figure 6 creating a desktop shortcut
Figure 7 add browser bookmark
5.3 ju6 advertising SDK
Ju6 advertising SDK will upload user information, such as IMEI, IMSI, mobile phone number, geographic location information, etc., obtain advertising information, pop-up ads by inserting short MMS, which can forge short MMS promotion ads and cause certain harassment to users. The detailed code screenshot is as follows:
Figure 8 fake SMS
Figure 9 fake MMS
5.4 adtraffic advertising SDK
Adtraffic ads may insert spam messages in the inbox, send messages in the background, and intercept messages. The detailed code screenshot is as follows:
Figure 10 block specific SMS
AVL mobile security team focuses on mobile internet security technology research and anti-virus engine development, providing powerful mobile security solutions. Welcome to our WeChat official account AVLTeam. We will publish some mobile security related information regularly, hoping to help you. Please indicate the source of Reprint: http://blog.avlyun.com/? P = 2079
Article sharing address: