Smartphones are the fastest-spreading technology in human history. Whether glued to the hands of texting tweens or used as the first and only window to the web in developing countries, mobile phones truly have revolutionized the way we live. With U.S. customers predicted to access the web more frequently with mobile devices than desktops by 2015, smart digital strategists plan for the “anytime, anywhere” consumer – and so do malvertisers.
Publishers have already seen massive increases in mobile traffic as audiences shift their attention to smaller screens. According to Ad Age, a full 50% of Pandora users have never accessed the service through their desktop, and 75% of their total listening hours come from various web-connected mobile devices. The company generated $100 million in mobile revenue in 2012. Facebook, too, has earned big money on mobile – the company raked in $150 million from mobile ads in this third quarter, or 14% of its total revenue.
However, just as traditional publishers and advertisers have begun to adapt for their newly-mobile audiences, the savviest of malvertisers have done the same. In fact, malvertisers, virus authors and hackers are often ahead of the mainstream in both adapting their tactics and developing new skills for emergent technologies.
Black Hats Follow Users to Mobile
The first mobile virus struck in 2004, and given the early stage of development of many of mobile ad platforms so far, it’s likely that we will see an increase of mobile malvertising before we get it under control. Elias Manousos, President and CEO of RiskIQ, reports “Mobile ads represent an easy method for attackers to receive traffic to exploits and drive downloads of malicious apps.”
According to Lookout, a company that provides malvertising and other protections to smartphone users, over $1 million was stolen from Android users in 2011. As mobile continues to expand its reach and as malvertisers continue to sharpen their mobile skills, we can only expect these numbers to grow.
Futhermore, as our mobile devices hold so much personal data and continue to evolve utilities for payment and other services, malvertisers will surely develop more and more cunning ways to capture, use, and sell users’ personal information, from passwords to PIN numbers, despite the ways that we respond to their attacks with creative and automated solutions. We have to work actively to develop effective counter-responses to the tactics hackers employ on mobile platforms; however, we must also be strategic in the way that we build security and conduct business on mobile, as hackers will always devise cunning new ways to siphon money and steal information.
Malvertising Practices Ported over from Display
In many ways, the development of malware for mobile parallels the rise of malware on the PC. In 1986, the computer world was rocked by its first virus: ©Brain. Written by two Pakistani brothers in an attempt to prevent copyright infringement/piracy of their own heart monitoring software, this virus was the first MS-DOS virus, and it greatly slows the floppy disk drive while rendering 7KB of disk space unusable to DOS. Antivirus software for ©Brain was not developed until 1988 – beginning the virus/anti-virus chase. First, tech-savvy coders develop and distribute smart new malware, then security companies retaliate by patching holes and developing reactionary software.
Just as mobile advertising has ported over many techniques developed for display, mobile malvertising mimics its PC predecessor. However, smart mobile malvertisers take advantage of the unique capabilities native to mobile devices, such as the QR code. QR codes have become one of the most popular combinations of print media and mobile; in fact, in Germany, a full quarter of the population has scanned a QR code. The human eye alone cannot decipher a QR code and the content it delivers. Infected QR codes can contain code that downloads malware that then sends SMS messages to a premium rate number (like a 900 number).
Phishing sites also prey on mobile users’ vulnerabilities. According to Mickey Boodaei, CEO of Trusteer, “always-on” mobile users are the first to succumb to phishing attacks. Mobile users are also the most apt to give up sensitive personal information to these sites – perhaps because they are harder to differentiate from normal sites on the smaller screen.
Malvertisers have infamously developed exploit kits, such as WebAttacker, Poison Ivy, and Blackhole, for display malvertising. These kits enable those who aren’t as technically gifted to easily enter the cracking ecosystem. WebAttacker, for instance, is a “‘bundled’ hack tool” that uploads client side exploits to a server, recognizes the users’ browser (& serves one of a number of exploits depending on the browser), and downloads a Trojan Horse that then logs keystrokes or opens up backdoors.
The exploit kits typically rely on vulnerabilities in popular software like Java and Adobe to attack users, who don’t always install the latest patch. Kit developers are quick to find and manipulate these exploits, and with a low cost of entry (a few hundred to thousand dollars, based on whether you DIY or request extra customization) and so many unsuspecting or disinterested hosting partners, it is easy for them to begin to enter the pay-per-install malware world. As you might expect, these kits have also been optimized for use on mobile platforms and browsers.
Defining Mobile Malvertising
There has also been an issue in the mobile space when it comes to defining what malware is, exactly. With lax and evolving guidelines when it comes to privacy on mobile, it can be difficult even to just identify malware. For instance, earlier this year, “Android.Counterclank” malware was found by Symantec to have been downloaded as many as 5 million times via 13 different apps on the Android Marketplace. According to Symantec, “Android.Counterclank” is a Trojan Horse that collects a wide range of user data and that is monetized by pushing unwanted ads onto Android devices.
However, according to Lookout, “Android.Counterclank” is merely an “aggressive ad network.” “Android.Counterclank” comes from the Apperhand SDK, which, according to Lookout, does not behave maliciously. Apperhand collects identifying information, like IMEI, but obfuscates raw data. It drops a search icon on the homescreen – just “bad form.” It delivers push notifications and can push browser bookmarks, but that’s not malvertising per se.
In an article in The Wall Street Journal, Max Binshtok, the creator of the DailyHoroscope app, reports that he felt pressure as a developer from ad-network executives to provide more user information than he felt comfortable transmitting. With premium prices for targeted mobile ads – especially those targeted to geographic location – publishers may feel pressure to share more and more user data, and with blurry lines between malvertising and “aggressive ad networks,” they should be wary about what data they share with whom.
This struggle to simply define malvertising on mobile is a great opportunity to open up discussion about privacy guidelines on mobile, and it highlights the need for users to be aware of what their downloads actually do and the permissions they sometimes blindly hand over to apps.
According to Elias Manousos, President and CEO of RiskIQ, “Many ads are disguised as application functionality, clicking on ads that look to be part of the app can trigger the malvertisement or encourage the installation of a malicious app. Consumers should think twice about granting certain permissions to apps that don’t require those permissions to function ( for example access to contact book and SMS).”
Media Buyers’ Best Practices are also Malvertisers’ Best Practices
Beyond these app tactics, malvertisers are capitalizing on the same technologies that have been developed to facilitate media buying and selling on mobile for non-malicious advertisers. Every step we take toward simplifying and streamlining the mobile advertising economy also lowers the barrier to entry for the malvertiser and allows him to target a broader base across more and more channels.
Malvertisers have been great media buyers on desktop, and they’ve carried over the same techniques to mobile. They understand the vectors they need to utilize to enter the ecosystem, and they understand the tactics of utilizing geographic targeting, cookies, and the like. Programmatic buying, for instance, has proven itself a boon for malvertisers. The Media Trust’s Alex Calic says that with the advent of more aggregated (programmatic) automated buying methods, the ability for malvertisers to enter the display vertical to get a broad reach for a lower cost increases significantly.
According to Manish Patel, Director, Corporate Interactive Systems at Crain Communications Inc., “Every publisher or media outlet is under revenue pressure and will likely sell in a haste without validating the customer or their background – just the same way malvertising creeps into display.” As publishers work to increase their revenue on mobile and deliver good ROI, they must remember to be cautious about validating the identity of the people and companies to whom they sell their inventory.
In an article on TechCrunch, Kevin Mahaffey, co-founder and CTO of Lookout, cautions, “In 2012, we expect to see the mobile malware business turn profitable. What took 15 years on the PC platform has only taken the mobile ecosystem two years.”
So, how are mobile consumers, developers, publishers and everyone else supposed to weather this coming malvertising storm?
Active Management Required
For mobile users: Watch what you click, especially in advertisements. Only download apps from companies you know and trust, or that have a substantial base of users. Be sure to read privacy policies thoroughly (yes, I know that’s a pain), and be cautious of the information you share with each app. Often, you simply don’t have to. If possible, purchase the paid, ad-free version of the app. Consider that $2.99 pricetag an investment toward protecting all the data (from credit cards to passwords to SMS messages) you store on your phone and, honestly, saving your time. This is the best way to avoid “aggressive ad networks” and other unscrupulous companies.
For media buyers and sellers, publishers and app developers: Exercise the same caution or more on mobile as you do on display. Make sure that you verify the identities of the media buyers and ad networks with whom you do business. You should be able to deal with your partners in person, and you should be familiar with their business practices and privacy policies. In order to protect the integrity of your publication, whether on the mobile web or in your app, you must be sure to carefully handle the type and amount of user data you share with your technology partners.
Data analytics can be a publisher’s best friend at this time, as they can help to differentiate between the behavior of legitimate ad networks and that of “rogue affiliates.” Mary Landesman, a senior researcher at ScanSafe suggests, “Run behavioral, signature, and reputation tools across ad networks to help more quickly identify malvertisements and rogue advertisers. Monitor ad delivery for abnormal spikes that may be indicative of users being unwittingly redirected to those sites.”
As mobile advertising continues to become more prevalent, malvertisers will continue to shift their focus to the medium. At the moment, the space is notoriously difficult to manage even for the most experienced publishers. As we move forward on mobile, the development of better standards on mobile – both in terms of app development and media buying/selling – will make it harder for malvertisers to penetrate the space. Until then, our best caution is to exercise due diligence when dealing with your mobile inventory.
New platforms and technologies will always attract bad actors, particularly when they are still developing the standards and security necessary to protect users. Just as we’ve developed automated defenses to combat viruses and spam on display, the industry will have to devise better algorithms and automated technologies to effectively fight the innovations of malvertisers on mobile.