FireEye researchers have reported a continuing “widespread security issue” hitting Android users who download apps from stores like Google Play, that include standard content from advert libraries.
The company estimates that these vulnerabilities are present in billions of apps worldwide. A recent blog post from the firm reveals that nearly half of the top 40 Android ad libraries contain the JS Binding Over HTTP flaw, for example, and that 42 percent of the most popular Google Play apps access one or more of these ad libraries.
With over 12.4 billion downloads of these popular apps, the blog adds: “Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads.“
According to researchers at security consultancy MWR InfoSecurity, which raised the issue in September 2013, the vulnerability dates back years and was first exposed publicly in December 2012.
But Jason Steer, director of technology strategy for FireEye EMEA, told SCMagazineUK.com that the firm is now seeing actual exploitation of such weaknesses in the wild.
“The reason why we've blogged about it now is this is becoming more widely exploited – it's moved from being a theoretical security angle, to being used by attackers currently. We're seeing multiple Android apps having this abuse already in the third-party app stores where a lot of people go to.”
FireEye is advising ad library and Android apps developers to adopt better security features and practices. And Steer said they are responding when made aware that the problem is ‘real'.
“Apps developers take the off-the-shelf library and put them into their app without appreciating some of the security risks they may be exposing some of the users of these apps to, and perhaps even the business that these people work on behalf of as well," he said. "But when you see potentially thousands and thousands of people who inadvertently get exposed to it, then there's a responsibility to try and fix it.”
Rob Miller, security consultant with MWR InfoSecurity, told SCMagazineUK.com that corporate security professionals and end-users – as well as developers – need to take action.
“This issue does affect a large number of users. The actual implications will depend on how you use Android devices,” he said.
“For users it's a matter of – think twice before downloading these applications and check ‘am I happy with the idea of keeping personal data on a device that has potentially these kinds of vulnerabilities?'.
“And finally for companies it's really a matter of making sure if you are implementing BYOD, that you've really locked down the policy; that it's not just a ‘yes you can bring in your own device and it's probably OK' - that you've actually gone through the security checks, that you've talked through the potential issues and that you then have the policies in place.”
FireEye said Android 4.1 or below is still running on more than 80 percent of Android devices worldwide.
FireEye has analysed the vulnerability specifically in relation to InMobi apps and says that it has informed both Google and InMobi of its findings. Both companies have been actively working to address the problems.