“They are aggressive at collecting sensitive data, embedding functionalities and capabilities to perform dangerous operations such as downloading and running new code on demand, and they are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users,” researchers, Yulong Zhang, Hui Xue, Tao Wei and Dawn Song wrote today on the company’s blog. The researchers also point out that the 2,000 Google Play apps have been downloaded more than 100,000 times each, putting 2.56 billion total downloads at risk. FireEye said it has informed Google and InMobi.
“InMobi builds a sidedoor in host apps with these aggressive features to endow content in WebViews with these capabilities,” the FireEye researchers wrote.
InMobi responded with a new SDK,version 4.0.4 which changed its methods for making phone calls, requiring user permission and added a downloads folder storing files grabbed from the Internet, FireEye said. FireEye said the changes are a step in the right direction, but still leave users vulnerable to social engineering attacks.
“We understand that library vendors like InMobi have the incentive to add rich functionality, however, it is important for the vendors to advise app developers about such features and functionality that cause sensitive security and privacy risks, so that app developers can make informed decisions,” the FireEye researchers wrote.