Bitdefender researchers have analyzed the advertising framework

Dec 11, 2013 12:57 GMT  ·  By

Researchers from Bitdefender have analyzed the Android advertising framework called Widdit. They’ve found that the advertising SDK, which at one point was included in around 1,640 apps from Google Play, exposes devices to some serious risks.

Of the 1,640 applications initially identified by the IT security firm, over 1,100 have already been removed from the Android marketplace.

So what’s the problem with Widdit? First of all, it requests a large number of permissions. The SDK that’s integrated into Android apps is a downloader that retrieves the actual advertisement component.

A large number of permissions are requested to make sure that all the features integrated into future versions can run without any problems.

“These permissions are not necessarily used by the SDK, but requesting them ensures that anything introduced later in the SDK will work out of the box. Among the weirdest permissions we saw are permissions to disable the lock-screen, to record audio or to read browsing history and bookmarks,” Bitdefender’s Bogdan Botezatu noted.

Another noteworthy thing is that the SDK is capable of executing specific code in case the phone receives an SMS, when it’s rebooted, when apps are installed or uninstalled, when a call is made, or when the GoogleCloudMessaging API is triggered.

When an application containing Widdit is installed on a device, the SDK connects to the Web, checks for the latest version, and retrieves it as a JAR file.

Experts have made an experiment to find out how cybercriminals can abuse this. By setting up a rogue network with a proxy server that intercepts the update request from the Android application, they’ve been able to launch a man-in-the-middle (MITM) attack and replace the legitimate JAR file with a malicious one capable of executing arbitrary code.

Widdit is not the only advertising SDK susceptible to such MITM attacks. Bitdefender researchers say they’ve successfully launched an attack against the Vulna/AppLovin framework as well.