Signing up with an ad network is often the most profitable option for developers of free mobile apps, particularly games. By agreeing to open up a backdoor, developers get a portion of the revenue from advertising shown to the smartphone user.
That perfect doorway into the app is starting to attract cybercriminals. Security researchers have reported finding corrupt ad networks that download malware to siphon dollars from victims.
The scheme is straightforward. The network operators look for developers more interested in profits than spending a lot of time vetting their partners. Luring developers is often as easy as offering more money than other networks.
Once the partnership is established, the developer embeds the network's code into the app. In legitimate operations, the kit sends back user information that helps advertisers determine which ads the recipient is most likely to click on. The kit also downloads ads and tracks their effectiveness.
The arrangement becomes sleazy when the personal information gathered goes far beyond what's needed to run the app. Over-the-top data collection could include contact lists, device identification numbers and even call logs. The added data enables much better tracking of the person's smartphone usage.
Wade Williamson, a senior security analyst at Palo Alto Networks, recently discovered an ad network operating in Asia that pulled down malware that hijacked an Android smartphone's text-messaging service.
The malicious application package file (APK) ran in the phone's system memory, hiding it from the victim. Rather than launch on its own, the app waits until a legitimate app is being installed and then sends a popup window asking for permission to access the SMS service.
Once all this is done, the malware sends texts to premium rate numbers. The small charges, oftentimes missed by the victims, typically appear on the monthly phone bills.
The network is far from a large-scale operation. Williamson only found a half dozen samples of the malware, which he suspects is coming from one criminal group.
The malicious network was found in apps provided by online stores other than the official Google Play, which scans for malicious code and privacy violators. While not used much in the U.S., third-party app stores are common in Asian countries and Russia.
These regions have become a laboratory for cybercriminals experimenting with Android malware. Today, the majority of mobile malware, 77 percent, wring money from victims through paid messaging services, according to the latest threat report from Juniper Networks.
In general, researchers have found ad networks and their developer partners getting more aggressive when it comes to collecting personal information. Late last year, Trend Micro reported that the line between legitimate data collection and violating privacy was blurring.
The vendor identified two networks, AIRPUSH and ADWLEADBOLT, that used information gathered from apps to send ads to the Android home screen as a notification. Clicking on the notice would open the phone's browser and send the user to the advertiser's website.
Besides being a headache, such adware has been found to make phones run slower and to drain battery life. A study conducted by Purdue University and Microsoft found that as much as three-fourths of the power used by free apps stems from third-party ad modules.
The Federal Trade Commission is paying attention to mobile security and privacy. In February, the commission put mobile device manufacturers on notice that they could be held responsible for protecting their customers' privacy.
The warning followed a settlement with smartphone and tablet maker HTC, which the commission charged with failing to protect customer data in software the company designed for millions of devices.
HTC agreed to make changes in its development process to bolster security and privacy, and advocates at the time said it was the beginning of an FTC crackdown.
How far the FTC goes in regulating privacy remains to be seen. In the meantime, smartphone users would be wise to pay close attention to permissions they give to apps they install. They should also stick with trusted app stores and make Google Play the first choice.