43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was offSecurity Affairs

Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone’s screen was off.

Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million installs that loaded advertisements while a phone’s screen was off.

The experts pointed out that this behavior violates Google Play Developer policy, in impacts the advertisers who pay for Ads that will be never displayed to the users, and also the users because it drains battery, consumes data, and exposes them to multiple risks, including information leaks and disruption of user profiling caused by Clicker behavior. 

The malicious apps include TV/DMB players, music downloaders, news apps, and calendar applications.

Google Play

The Ad Fraud campaign uncovered by McAfee targeted mainly Korean Android users.

According to the report the ad fraud library used in this campaign implements specific tricks to avoid detection and inspection, such as delaying the initiation of its fraudulent activities.

“It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior.” reads the report. “Notably, the latent period typically spans several weeks, which makes it challenging to detect.”

The rogue apps start fetching and loading the ads when the device screen is turned off after the latent period. The users will never know that their devices are involved in this fraudulent scheme. The ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. The app retrieves the specific advertisement URL from Firebase Storage and shows the ads.  

However, quickly turning on the

Read More ...

Google addressed 3 actively exploited flaws in AndroidSecurity Affairs

Google released July security updates for Android that addressed tens of vulnerabilities, including three actively exploited flaws.

July security updates for Android addressed more than 40 vulnerabilities, including three flaws that were actively exploited in targeted attacks.

“There are indications that the following may be under limited, targeted exploitation.” reads the security bulletin.

The CVE-2023-26083 is an Arm Mali GPU kernel driver information disclosure vulnerability that the US CISA added to its Known Exploited Vulnerabilities catalog in April 2023.

The CVE-2023-26083 is chained with other issues to install commercial spyware, as reported by Google’s Threat Analysis Group (TAG) in a recent report.

The second actively exploited flaw addressed by Google is a high-severity issue, tracked as CVE-2021-29256, that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. An unprivileged user can exploit the flaw to gain unauthorized access to sensitive data and escalate privileges to the root.

The third actively exploited flaw is a critical integer overflow in Skia, which is a Google’s open-source multi-platform 2D graphics library. The flaw was reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-04-12.

A remote attacker who has taken over the renderer process can trigger the flaw escape the sandbox and execute arbitrary code on Android devices.

Google released two patch levels, the first one released on July 1 addressed 22 vulnerabilities in the Framework and System components.

The second patch level, released on July 5, fixed 20 vulnerabilities in the kernel and closed source components.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

link … Read More ...