The Dangers Of Mobile Advertising

The mobile advertising network RevMob has notified its customers that it has suffered a breach, though the extent of the attack or the motivations behind it are currently unknown.

While RevMob's breach does not appear at first to be as headline grabbing as the recent TalkTalk, Tesco or Panama Paper hacking news stories, and thus may well not be as widely publicized by the media, it does once again draw attention to the inherent threat posed from pervasive advertising.

MWR’s past research on the subject is still very much relevant today. For example, this publication from 2011 details an attack surface analysis that is exposed within mobile advertising software development kits. As part of the research, vulnerabilities were identified that could be used to compromise the applications and devices serving such applications. The attack vector relied on an adversary being able to capture and manipulate internet requests, so an adversary looking to achieve a compromise would be required to be in the vicinity of their target (for example in the same coffee shop or bar).

This reliance on proximity makes attacks at scale difficult and if attacks are difficult to scale, the return on investment is minimized. The ability to capture and manipulate data upstream, such as when it traverses telecommunications or ISP networks, is not one possessed by many threat actors, further limiting the exposure to a much smaller threat group.

However, if an adversary were able to compromise the mobile advertising network itself, such an endeavor would potentially be much less challenging but offer the reward of being a much more scalable attack vector.

The Weakest Link

Targeted attackers will often compromise weak links in an organization’s supply chain to achieve their end goal. A breached organization may not always be the end target, but merely a stepping stone towards achieving an ultimate goal. Hence, it would not be unreasonable to consider a breach of a mobile advertising network as being an effective stepping stone towards a much greater ambition.

Many of the vulnerabilities discovered and disclosed by MWR in mobile applications and advertising networks software development kits are still prevalent. However, even without the vulnerabilities in the mobile applications and/or the software development kits being present, the ability to push code of the attackers’ choosing to millions of mobile devices is a very useful capability. For instance, it can be leveraged to target known and undisclosed mobile device vulnerabilities that can provide remote control of phones and tablets.

The mobile Pwn20wn competition, which MWR enters annually, is a good example of undisclosed vulnerabilities being present in modern devices that could potentially be leveraged to achieve many adversarial goals.

In addition, this site provided by Android also provides useful statistical analysis with regards to how many devices are in use today that are running old and vulnerable versions of the platform’s operating system.

Should an adversary breach a mobile advertising network, therefore, they may find themselves in a position to attack and compromise many mobile devices at scale – a scary prospect. While we still do not know the extent of the RevMob breach, it is certainly food for thought.

How comfortable do you feel that an advertising network has the ability to execute code on your device? Code that has been proven to have features and vulnerabilities that can be used to collect a wealth of data, transmits it insecurely, uses its privileges to track your movements, profile you, listens to you and profits from this directly or by selling your data on to unknown third parties? Code that can also be used by adversaries to compromise and control your mobile phone and/or tablet completely?



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.