2 min read

Clueful Detects Vulnerable Applovin/Vulna Apps

Răzvan STOICA

November 18, 2013

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Clueful Detects Vulnerable Applovin/Vulna Apps

Bitdefender Labs malware researchers Vlad Bordianu and Tiberius Axinte have created a proof-of-concept exploit for the vulnerable Applovin ad-serving framework (also known as Vulna) versions 2.0.74 through 5.0.3 included. The exploit runs arbitrary code in the context of the affected Android app.

To exploit the vulnerable update function included in Applovin, an attacker needs to be able to respond to framework update requests originating from the target device. In the studied scenario, this is performed via a man in the middle HTTP injection attack at the wireless router level, although other attacks may also be practicable.

The attack is made possible by the lack of encryption in transit and the lack of an update authentication mechanism – the only verification that is performed is a simple integrity check, in which a hash (included in the header of the update server’s response) must coincide with the hash of the actual update package. Had the update process used HTTPS, the attack would no longer have been possible.

“We cannot say if the Google Play application review process will prevent the creation of other SDKs or individual apps that present such functionality in the future. Google should definitely give some attention to the issue, as otherwise a malicious programmer might publish a perfectly legitimate app with such a backdoor function and turn it into a data-stealing trojan later” commented Catalin Cosoi, Chief Security Strategist for Bitdefender.

The insecure update mechanism has been removed in the latest version of the Applovin SDK. Bitdefender Clueful can detect any apps which still use vulnerable versions of the SDK.

tags


Author



Right now

Top posts

Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer
Bitdefender

January 19, 2022

2 min read