“They are aggressive at collecting sensitive data, embedding functionalities and capabilities to perform dangerous operations such as downloading and running new code on demand, and they are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users,” researchers, Yulong Zhang, Hui Xue, Tao Wei and Dawn Song wrote today on the company’s blog. The researchers also point out that the 2,000 Google Play apps have been downloaded more than 100,000 times each, putting 2.56 billion total downloads at risk. FireEye said it has informed Google and InMobi.

The prominent issue with InMobi is its use of a new javascript annotation @JavaScriptInterface introduced by Google in the Jelly Bean version of the mobile OS, replacing addJavaScriptInterface used in older versions. addJavaScriptInterface enabled javascript running inside a Webview to access an app’s Java methods, FireEye said. This is risky because it allows untrusted content in WebView to access the host app, and as a result, could execute an attacker’s code with permission from the app.

“InMobi uses the new @JavaScriptInterface annotation to deliberately expose interfaces that allow aggressive behaviors such as making phone calls without user consent, thus opening a sidedoor for JavaScript loaded by this app’s WebView,” the researchers wrote.

With @JavaScriptInterface in Jelly Bean, the annotation limits which methods are accessible from javascript. The problem is that more than 80 percent of the Android market is on a version lower than Jelly Bean and vulnerable to any number of malicious behaviors.

InMobi, meanwhile, has implemented the newer annotation starting with version 3.6.2 and has exposed a number of features to javascript beyond making phone calls. An attacker could leverage this weakness to send mail and SMS messages, take photos, display images, post to social networks or turn on the microphone on a mobile device.

“InMobi builds a sidedoor in host apps with these aggressive features to endow content in WebViews with these capabilities,” the FireEye researchers wrote.

An attacker sitting in a man-in-the-middle position could not only hijack HTTP traffic from an app using InMobi, including DNS hijacking, but could also inject malicious javascript to exploit the sidedoors, FireEye said. “The built-in sidedoor in InMobi gives the attacker the opportunity to perform these malicious activities by misguiding users to consent.”

InMobi responded with a new SDK,version 4.0.4 which changed its methods for making phone calls, requiring user permission and added a downloads folder storing files grabbed from the Internet, FireEye said. FireEye said the changes are a step in the right direction, but still leave users vulnerable to social engineering attacks.

“We understand that library vendors like InMobi have the incentive to add rich functionality, however, it is important for the vendors to advise app developers about such features and functionality that cause sensitive security and privacy risks, so that app developers can make informed decisions,” the FireEye researchers wrote.

Ref:  http://threatpost.com/author/michael