Ad Vulna: Vulnerable and Aggressive Adware Threatening Millions
fireeye.comThis is why I'm really hesitant to use popular libraries like Flurry.
I'm making a kids game & really want to respect the kids' privacy. I can't hand the keys to all that data & possible backdoors to some "free" third party library & just trust they will play nice.
After giving some thoughts on your same issue (customer privacy and security), I moved on to use Piwik (http://piwik.org/ a well known opensource analytics server) on a personal server. There are also native libraries for mobile usage (I use PiwikTracker https://github.com/mattiaslevin/PiwikTracker for iOS and OS X). Less bell and whistles than Flurry, but definitely a more controlled environment. ;)
Piwik allows site owners to track and uniquely identify visitors using their IP adresses. If I were concerned about my privacy I would trust Google more than a random website owner. Just a point to consider.
You can always identify your customers though your application without any external library or effort. The point is that (your analytics provider) can track you through all the apps using the library. This is a significant difference, IMHO.
The developer can obviously trust themselves and the user has trusted that particular developer (and the app store approval process) as they can already use the phone features allowed to that app.
If you use Flurry/Crashlytics/... then that is an additional entity (of many people) that both the developer and the user are trusting.
Piwik allows you do not log any number of bytes of an IP address. So you can eg. make it log and display 123.213.x.x instead of a full IP. This is vastly better for privacy than sending all your visitors details to Google in the USA.
What kind of trust are you talking about?
To be fair, every server logs an IP with every request anyway.
They need a new term -- "Vulna" is just too close in sound and in look to "vulva." Maybe it is on purpose to catch people's attention (it caught mine in a near spit-take), but that would be a poor decision for anyone who wants to be taken seriously.
That didn't even cross my mind. Perhaps it depends on language background?
Natural English here and didn't occur to me either.
Relevant: http://xkcd.com/671/
I thought exactly the same when looking at it
I'm interested if anyone has been able to identify the library or spot any clues other than the image from the article http://www.fireeye.com/blog/wp-content/uploads/2013/10/scree...
It could be any of a dozen in the 2% range http://www.appbrain.com/stats/libraries/ad
Just noticed it seems to be some sort of tamagotchi clone from what I can see. the yellow/white meter could be growth and the icon to the right an egg. this (unrelated) app uses the same 'notebook' style of backdrop.
https://lh3.ggpht.com/8gjIb24gOSjoLwxYvVgfFfMz9ItAT_0h86QRlY...
The game is candy crush so I assume it refers to AdTrack.king which is strange because googling that library shows that people knew it was malicious even while it wasn't flagged as such by mobile AV. http://malwarefixes.com/remove-adtrack-king-com-redirect/
I'm curious as to why FireEye chose not to disclose the library. What would you call this kind of disclosure?
"I'm curious as to why FireEye chose not to disclose the library."
For the same reason that most responsible security researchers don't disclose zero-day threats: to prevent people from exploiting them before they can be fixed. In this case, they did notify Google, which can pull the compromised apps out of their app store and notify the developers who've used this library that they need to rewrite their apps.
Covering their own asses so the framework dev doesn't come after them is the only reason I could see.
The pixelization just reminds me of 'dodgy plumbers' on 'current affairs' shows or somesuch. I'm sure someone will recognize the pictured app eventually.
your point is moot.
The ad library, who runs the code and expose the JS apis so that html ads can call it, proably advertise to its clients that they can do that.
So which actor exactly is being left out if they do not disclose? only the victims.
What kind of perverted joke is this? They're making grandiose claims about severe security threats without telling us which library it is? This is pure spam. I'm going to flag this nonsense.
That's what I thought, read all the way to the end and didn't even find out what the actual threat was. Ridiculous.
Key quote:
"We have analyzed all Android apps with over one million downloads on Google Play, and we found that over 1.8% of these apps used Vulna. These affected apps have been downloaded more than 200 million times in total."
This must be a false report, because according to Eric Schmidt, Android is more secure than the iPhone. There cannot be 200 million vulnerable downloads.
Typical Android