Aggressive adware and PUPS 'increase vulnerability to malware'

News by SC Staff

Apps that exploit users for advertising revenues and in-app purchases worsen mobile phone performance and collect unnecessary data, potentially increasing vulnerability.

Android mobiles are increasingly being targeted by Potentially Unwanted Programs (PUPs), often offered through legitimate channels, but which mislead people and then bombard the user with aggressive advertising and in-app purchases, as well as taking unnecessary amounts of personal data.  As a result they also impact phone performance, but they are not officially designated malware as the user has initially requested their installation.  

The leading offender is adware, which aggressively and persistently presents advertisements and exploits the OS or other software to force the device to advertise in a questionable manner.  Secondly, there are more generalised PUPS, a broader category which includes apps which seek suspicious permissions beyond their advertised function, impact device performance, use vulnerable code or operate dubious in-app purchases. 

Marcin Kleczynski, CEO at Malwarebytes told in an email, “Not only are these pieces of software annoying and needlessly expensive, but they can end up seeing personal data put to dubious use. Aggressive advertising and sneaky pay-to-play schemes in particular are on the increase.  In the beginning there were few offenders, but there are now a number of SDKs on the market which make it easy to create multiple variants, as well as bundle these together in a single app.”

Armando Orozco, senior malware intelligence analyst at Malwarebytes  explained that these apps are asking for permissions which are way beyond what is actually required by the host app itself, commenting:  “Typical examples of the types of privileges they seek are things like access to a person's contact book, the ability to write history and bookmarks, the ability to create shortcuts without explicit permission and even being able to send SMS.”     

As these types of apps aim to drive revenues games are a very popular area for these types of SDK to be found, but they can be in any category where ads can be specifically targeted, so anything from productivity to adult themed apps are exploited.  Orozco adds: “Often there are apps with three or more of these SDKs bundled, not just adding to the bloat but potentially exposing the user to vulnerabilities that lay in the SDKs code.  Malware could potentially exploit that security hole to access the user's device.”

In response, today Malwarebytes has launched a new version of its Anti- Malware Mobile which has added PUP protection and will give people an option to automatically detect and block these dubious apps.  Given the nature of such apps, the classification of an app as a PUP will initially be made by a human researcher. The software will still allow scheduling of updates over WiFi, social sharing of the app with friends, features French translation and allows users to send feedback and request new features. 

Google is reported to have been working to address this situation by altering  its developer policy so that developers are required to announce if their adware uses push  notifications or makes changes to the system, by requiring a EULA to be presented and offering an opt out. “This has made it a little more difficult to operate and has removed some overly aggressive apps, but it has to tread a very fine line,” says Orozco.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews