The Case Of Malicious Advertisement SDK Affecting Thousands Of Mobile Apps by Kirill Efimov

hey um i'm a little bit sick sorry for my my voice and advice so we are going to talk today about the research with code name sauerment um you could even heard about it if you are into mobile application development area i am a member of the research team which was working on it so let's talk about it uh first couple words about myself um uh i have my security security research team leader at sync um a family guy i have a wife and one year old son i was born in russia saint petersburg and moved to tel aviv about four years ago i play ctf challenges as a member of five bc team and you can find me as byday tonight in

twitter uh also before we start i would like to appreciate the team which was working on the research raul and danny thank you so let's start we are going to talk about mobile advertisement para specifically about integral ads adsdk which is published in cocoapods the company created the sdk in integral is application monetization platform owned by public company mobista it's based on china with a lot of different offices and different countries mintograph dsdk is available for both android and ios but i'm not going to talk about android version today although all relevant links will be at the end of the presentation um this decay allows developers to monetize on advertisement obviously um when we started our research in august

2020 the sdk was closed source integrated in about 3 000 applications with about 1.2 billion downloads per month overall i think it's important to say here that i'm i'm going to mention integral company many times today in really different contexts but i'm not blaming them and anything all what will be presented is pure observations based on facts and it's only up to you to decide if to blame someone or not now to the research when we started it uh we immediately observed some suspicious markers uh first of all the code is not open it's obviously it's not suspicious by itself uh but it is really unusual for a cocoapod to be closed source we found that some of the

classes and pieces of code are obfuscated but most of the classes are not so we started to look at the obfuscated ones at the beginning some of the strings were encoded using non-standard base64 like encoding eventually we found that the sdk uses method switzerland uh it's a process when you replace uh native implementation with the author method with your own implementation when you replace native methods uh network activity showed that the sdk uses the same base64 like encoding in the request to obfuscate the requests after deeper look we found that integral can collect some data which we don't expect to be collected i'm talking about open url tracking all http request tracking including parameters of the requests like

headers and store kit events tracking by by tracking i mean that the sdk send lock about each of those actions to their back end [Music] and the open url method is used whenever your application wants to open a url in a browser or as a deep link in another application so you can imagine what will happen if you replace implementation of the method with your own basically if user clicks on a link in a banner or just any external link in the app it opens the browser but in parallel integral sdk sends the data about the click to their backend to their servers this is the obfuscated data sample of such requests you can see here the url itself

but as well many metadata you can see the stack traces you can see method name and class name and all the um arguments all the query parameters of the request so but what does this data is used for um let's have a look how normally mobile advertisement works user clicks on a banner and advertisement sdk send log about uh this click to attribution provider backend then user downloads application and after installation after first launch attribution provider receives this data and now you can see that attribution provider backend uh has both click information and install information so eventually it can figure out which banner was clicked and who should be paid for the click so if you have an information about all

clicks made by the user you can pretend that the user clicked on your banner as well as on the banner of different advertiser uh when you can send a fake click to the attribution provider backend and as far as attribution provider counts the second click as the one should be paid you can earn some unfair money here that's it about open url tracking let's have a quick look at the http request tracking here everything is much simpler every time your app makes a request to your backend the integral sdk can collect this data including http request headers cookies and so on so your authorization tokens can be collected as well as some other sensitive information

one interesting fact about monetization is that usually developer integrates more than one advertisement network to the app to do that developers uh use mediation platforms like mopab by twitter upload and iron source and so on the platforms aggregate a bunch of different advertisement sdks and decide which banner to show and when hence in many cases developers not even aware which exact advertisement sdk are integrated in the up they wrote and in case in case of the integral sdk the triken could be enabled uh even if if the developer never heard about metrograwl if he installed the or he or she installed it as part of mediation platform interesting that sdk checks as well if you run on emulator

or debugger attached to your device or if you have jailbroken device and or if you are under the proxy and disable striking in this cases that means even if a developer has monitoring of outbound connections no chance to catch tracking requests i believe that's why the hdk remained on power for more than one year on august 24th we went public with their findings it made a lot of noise even non-technical press like forbes decided to publish it in a couple of days after the publication mobile marketing company singular wrote an article about significant drop in click hijack and fraud they didn't mention any names for obvious reasons but it's still fun to see the effect

your publications created later in october twitter's mediation platform mop up removed integral as certified mediation network as far as they know at some point iron source did the same so overall we were happy that our research helped the world become a bit better and reduce fraud then mintegral decided to make source code of the sdk public open source personally i wouldn't call it open source because you can't get the code without explicitly asking me instagram about it i mean the code is not published on github or anywhere else and you can just download it but one of our partner scandal sent us the source code and we decided to perform gif analysis to check if track and functionality was

indeed removed and proved that everything is okay now um yeah on this slide you can see classes which were presented in original closed source version but were deleted uh from the open source the first one cx6 stuff is already known track and functionality but what is remote command why haven't i looked at it before and why they decided to delete it from the open source um so all advertisement in your app is usually just html pages and think about it it's really convenient way to to represent a banner or a splash screen if you need animation you can use some css features if you need interactivity you can add javascript and it's really cross platform it would

work on android ios and even in in the browser if you want so we found that empty gt remote common from the previous slide from beef analysis is used inside uh what called mtg base bridge webview which is it is the base webview used all over the sdk for almost all types of ad you can imagine if banner is html page both integral and advertiser can control the banner payload the javascript um this is the interface of uh mtjd mode common sample of uh how to call into jd mode command from javascript uh it is capable to run native function by name with arguments so which accepts um json with four different keys unique identifier is a target native

class name name is method name to call parameters array of arguments for that method and result is just helper for empty general common to figure out how to serialize data back to result by the way this is the same base 64 litecoin coding as i mentioned at the beginning not not by normal by 64. so it means that both advertiser and integral itself theoretically can execute code remotely on your device and they can do it ignoring any app store security checks because the application is already on your device so and the banner is downloaded from through the internet i i decided not to have a live jammer for this job but instead i'll show you

the demo video with very simple application and rc how how rc could be exploited

so at the right side you can see a terminal with evil server is running on it and the server is going to host a banner with rc payload and receive data from the from the rcm on the left side you can see emulator and what calls uh secret node application it's simplest possible secret uh like simplest possible node application you can imagine let's have a look at it oh sorry

it happened sometimes i don't know why so now you can see like the field with text it's the only field of the application you can edit it and save it uh and downstairs you can see the fake coca-cola banner and immediately on the right side some data was already stolen like it's a package name device identifier and default node text now let user change the node and while user is changing the node you can see that exploit is running in a loop in the background that continue receive some data from the application

click on update button and now no new updated node text is is on the malicious backend so this is gem of rc now let's have a look at the code um the application uh has pretty simple ui i'm not going to show it and the only important thing for us right now is that the app uses two static methods to save and load node text so basically it has node repository class and it uses txt file somewhere in the device memory on the device so and the node repository class has two static methods load to get this text file and save to put it back to their memory this is the exploit which is a part of

fake coca-cola banner on your screen the exploit is super simple as well basically you just navigate to mv blah blah handle native object question mark and then you attach a serialized json payload for a node repository for empty driver mode command class uh you had seen it already the unique identifier is the node repository it has the prefix static to let mtj remote command know that we are going to call static method of the class name is load basically to load the the secret node and result string to serialize it back as well you have to register a callback function to receive data from native function call the callback is doing serialization of the result and sending it back to

malicious backend the backend is running on localhost in this case um on this slide you can see logical diagram of the application itself and how darcy got executed i maybe repeat myself here a bit but i'd like to make this part crystal player this green rectangle is uh is the code written by developer first party code it communicates uh with the third party code with the integral adsdk via the mtg remote command class uh which through a webview uh with the banner communicate with malicious advertiser backhand and integral backend and we we haven't observed any signs of malicious activity in binaries we checked and i don't know if this rc was ever used with malicious

symptom but we can speculate about it a bit uh someone theoretically can target specific ios versions inject a rootkit and steal any of your private data passwords pictures contacts everything next day we reached out apple pointing that a lot of popular applications have this rc stuff apple reacted very fast sending emails to all affected application owners interestingly they haven't mentioned integral somehow instead they said you have to delete mtj invitation box in class or your application will be removed from the app store as i mentioned before the sdk could be installed as part of mediation platform and it's not really obvious if mtg in vacation boxing is uh relevant to me integral is the case somehow

uh so this situation caused a lot of questions uh at the internet you can see some of them on different forums so the impact today we covered two issues came from the same sdk first one could be used in fraud schemas and violates user rights sending and possibly collecting pii second issue opens possibility for remote code execution on your device one sdk attacks thousands of applications and billions of users all over the world personally i proud that this research eventually helped to reduce fraud cases protect many users and increase awareness in the mobile developers community um if you want some juicy technical details i strongly recommend you to check our check our research write up

uh it has all the details about both android and ios really nice demo of more complex exploits and yeah looks like i'm not good at estimating speaking time so we have time for the questions thank you so much chris really really interesting research and great to get some insight into this and we we have no questions in the chat as such but i i personally have a couple of questions so i'm going to hijack it and go ahead so who who do you think should be held most accountable for apps that end up inevitably using potentially malicious sdk app or add sdks do you think that the app developers bear responsibility for not performing their own due

diligence or do you think that the app stores themselves like google and apple need to do a better job of detecting these quicker and weeding them out yeah it's it's a great question i i believe uh this is uh efforts of both sides uh it should be better done in uh both apple and google back ends to check the application security to detect these cases especially if if library is installed in many applications and affects so many users so that's definitely a good point to check this libraries and verify they are not doing any malicious stuff but as well developer is really responsible for such stuff so i would recommend all the developers to install some tools to scan their

dependencies for vulnerabilities yeah i imagine you know that's a shared responsibility model as with all things cloud-based so another question i have is um you know given all the talk recently about supply chain attacks you know it's all over the news but it's more it hasn't really hit the mobile space yet do you think something like this might feature as the next supply chain attack albeit a mobile-based version yes i believe it's definitely a good vector for a potential malicious actor to uh to exploit mobile area and um we are actually working on really interesting research i hope i'll present it next time in the mobile development area as well like to show some potential vectors for attack

brilliant we have no other questions i think we'll wrap it up at that career thank you so much for your sharing your research and knowledge with the with the audience it's been great and thank you for being part of our event today