Detecting Hidden Malicious Ads is a new, dynamic detection system could prevent malicious ads from entering the market to protect smart-phones, say experts.
Mostly harmless, ads are a source of income for developers who often offer their apps for free. But as more and more people own smart-phones, the number of malicious ads hidden in apps is growing — tripling in just the past year. — Malvertising (a Portmanteau of “malicious advertising”) is the use of online advertising to spread malware.
Malvertising involves injecting malicious or malware-laden advertisements into legitimate on-line advertising networks and web-pages. Online advertisements provide a solid platform for spreading malware because significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is “attractive to attackers because they ‘can be easily spread across a large number of legitimate websites without directly compromising those websites’.”
Some pop up between stages in games while others sit quietly in the sidebars. Mostly harmless, ads are a source of income for developers who often offer their apps for free. But as more and more people own smartphones, the number of malicious ads hidden in apps is growing — tripling in just the past year. In order to curb attacks from hidden malicious ads, Chen and his team are working to better understand where these ads originate and how they operate. This research has resulted in a dynamic system for Android that detects malicious ads as well as locates and identifies the parties that intentionally or unintentionally allowed them to reach the end user.
Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Computers can become infected pre-click and post click. It is a misconception that infection only happens when visitors begin clicking on a malvertisement. “Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious. Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre or post click (in its build and design) can still be infected whilst being called.
Malicious code can hide undetected and the user has no idea what’s coming their way. A post-click malvertisement example: “the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web.” Redirection is often built into on-line advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user’s computer.[
Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place “clean” advertisements on trustworthy sites first in order to gain a good reputation, then they later “insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus”, thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the “ad network infrastructure is very complex with many linked connections between ads and click-through destinations.”
Last year, Chen’s team used its system to test about one million apps in two months. It found that while the percentage of malicious ads is actually quite small (0.1 percent), the absolute number is still large considering that 2 billion people own smartphones worldwide. Ads that ask the user to download a program are the most dangerous, containing malicious software about 50 percent of the time. Ad networks could potentially use Chen’s system to prevent malicious ads from sneaking into the ad exchange. Ad networks buy space in the app through developers, and then advertisers bid for that space to display their ads. Ad networks use sophisticated algorithms for targeting and inventory management, but there are no tools available to check the safety of each ad.
“It’s very hard for the ad networks,” Chen said. “They get millions of ads from different sources. Even if they had the resources to check each ad, those ads could change.” The team will present their research, findings, and detection system on Feb. 22, 2016 at the 2016 Network and Distributed System Security Symposium in San Diego, California. Chen’s work culminated from the exploration of the little-studied interface between mobile apps and the Web. Many in-app advertisements take advantage of this interface: when users click on the advertisement within the app, they are led to an outside web page that hosts malicious content. Whether it is an offer to download fake anti-virus software or fake media players or claim free gifts, the content can take many forms to trick the user into downloading software that gathers sensitive information, sends unauthorized and often charged messages, or displays unwanted ads