Mobile Ad Library Inmobi Opens Security Holes in Android Apps, Researchers Say

Man-in-the-middle attackers could force vulnerable apps to make phone calls, send text messages, access photos and more

A third-party advertising library called InMobi, used by many Android applications, opens a potential backdoor into mobile devices.

Attackers who are in a position to intercept traffic coming from an app that uses InMobi can inject JavaScript commands into that traffic and force the app to make phone calls, send text messages to premium-rate numbers, create calendar events, access the photo gallery and post on social networks on the user's behalf, according to researchers from security firm FireEye.

The problem stems from InMobi's use of an Android API (application programming interface) feature called addJavascriptInterface that can be used to expose a Java object's methods to content loaded in a WebView, a window that displays Web pages.

Since Android 4.2, addJavascriptInterface has a mechanism to restrict which methods can be accessed through JavaScript code from a WebView, but this restriction doesn't exist on older Android versions, which are still found on 80 percent of devices.

InMobi has been using addJavascriptInterface since version 2.5.0 and the restriction mechanism called @JavascriptInterface since version 3.6.2, FireEye researchers Yulong Zhang, Hui Xue, Tao Wei and Dawn Song said in a blog post. "However, it used this mechanism to expose aggressive features to JavaScript in WebViews."

The methods exposed by InMobi include: createCalendarEvent, makeCall, postToSocial, sendMail, sendSMS, takeCameraPicture, getGalleryImage and registerMicListener.

"Essentially, InMobi builds a sidedoor in host apps with these aggressive features to endow content in WebViews with these capabilities," the FireEye researchers said.

The second problem is that InMobi loads content in its WebView via HTTP, not HTTPS, so the traffic is not encrypted. This means that any attacker who is able to intercept that traffic can inject rogue JavaScript code into it to access the exposed functionality.

Such man-in-the-middle attacks can be executed on open wireless networks, from compromised routers, using rogue DNS (Domain Name System) servers or at any other point en route to InMobi's servers.

"By leveraging the sidedoors, if the app has the right permission (CALL_PHONE), an attacker could make phone calls, including to premium numbers, on the device without user consent," the FireEye researchers said. "With this vulnerability, attackers can also launch telephony distributed denial-of-service (T-DDoS) attacks targeting certain phone numbers, so that they can effectively paralyze the phone service of a given organization."

Posting to social networks, sending SMS (Short Message Service) messages, creating calendar events or taking pictures would not require the host app to have any special permissions, but users would need to click on a button in order to complete those actions. Attackers could use social engineering techniques to trick them, the FireEye researchers said.

After being notified of the problem by FireEye, InMobi released version 4.0.4 of its SDK (software development kit) that now requires user consent before making phone calls. However, it didn't remove any of the other functionality and exposed a new method called storePicture that can be used to save any file from the Internet into the device's Downloads folder.

The FireEye researchers view the first change as an improvement. "However, the new change still leaves the users vulnerable to social engineering attacks where attackers could misguide users into making premium calls," they said. "Unfortunately, change #2 gives attackers more opportunity for social engineering attacks, as it allows the attacker to leverage the storePicture interface to download and save arbitrary files onto the device."

FireEye claims to have identified over 2,000 apps on Google Play that contain vulnerable versions of the InMobi SDK and have been downloaded over 100,000 times each, for a total of 2.56 billion downloads. The company notified Google of its findings, but it's unclear when or if the developers of those apps will update them to use the latest version of InMobi SDK.

"We recommend ad library vendors like InMobi to carefully ensure the security of their libraries and actively advise app developers about the underlying security and privacy risks so that app developers can make informed decisions," the FireEye researchers said.

Copyright © 2030 IDG Communications, Inc.

7 secrets of successful remote IT teams