Mobile advertising in itself is not dangerous, but when the content of the ads isn’t held to certain standards, it can be. The impact bad mobile ads have on users goes beyond annoying pop-ups, even malware can be delivered via legitimate ad networks, a practice known as malvertising.

Wandera’s threat researchers wanted to better understand the risks that could be introduced to remote workers via in-app advertising, particularly since ads are delivered dynamically and are not part of either Apple or Google’s application review process. Mobile ads represent a possible backdoor onto the device since they are unmonitored and often packaged up as part of a legitimate piece of software.

Mobile advertising is made possible through an ecosystem of partners and service providers. There are three main areas that comprise the mobile advertising ecosystem:

  1. The ad framework – how the ad is physically presented to a user
  2. The ad network – how the ad is distributed and delivered to an app
  3. The ad content – what gets pushed into the system

Exploring mobile advertising is like unraveling an onion with the ads themselves at the core. Ads appear within an app, but knowing how to get them there requires expertise. You need to know how to get the ads, distribute the ads, select the right ad for the right user, format the ads, and encourage the user to interact with the ad content.

The ad framework – delivery of unvetted content

Ad frameworks make it very easy for developers to monetize their apps with ads by simply incorporating the framework (or SDK) into their code. Some of the most popular ad SDKs for Android include Facebook Audience Network, Google Ads Admob, and StartApp.

Our researchers wanted to explore a service that wasn’t associated with a single well-known advertiser, such as Google or Facebook, so they took a closer look at the framework from StartApp, which would, presumably, provide app developers with ads from a wider variety of advertising networks.

StartApp provides options that allow the developer to determine how the ads appear on the page. The techniques used to deliver advertising include:

  • Full-screen or pop-up
  • Native push notifications
  • Interactive UI elements (such as “accept” or “register” buttons)
  • Website redirection to move a user away from the app to a webpage

Our research indicates that StartApp has no responsibility for the actual content contained within the ads. However, the company is directly compensated by the advertising networks it uses for the supply of ads presented to users.

StartApp claims that its SDK is integrated into 19.01% of total ad-supported Android apps. It also ranks in the top 3 for holding the lowest SDK uninstall rate on iOS.

Our research indicated that this ad framework was present in 699 Android mobile apps within Wandera’s customer base. Most of the apps in question are free, though many provided in-app purchases as an additional source of revenue beyond advertising for the developers.

The ad network – distribution of unvetted content

Wandera’s analysis of the apps utilizing the StartApp ad framework shows that the vast majority of ads displayed through it (approximately 90%) are obtained from a single ad network.

The network consists of a large number of globally distributed servers and diverse domain names that allow the ad network to hide behind multiple subsidiaries, physical and Internet-based.

The ad network is operated by a commercial entity that receives payments from advertisers or content providers in exchange for distributing ads to users, allowing it to selectively post content without being directly tied to it.

The ad content – a hard paper trail to follow

Content providers (advertisers) introduce ads into the network by paying a fee. The network distributes ads through a variety of channels, one of which is an ad framework such as Startapp or, Facebook Audience Network, or Google Ads Admob. Mobile app developers seeking to monetize their apps through advertisements embed an ad framework into their apps.

The ads presented by the mobile apps included in this research are offensive, misleading, and, in some cases, malicious. Ads include:

  • Pornography (presented within apps that targeted children under 18)
  • “You’ve won a prize” style scams that are used to con consumers and compromise personal information
  • Phishing attacks that are designed to collect credentials and sensitive user data
  • Unwanted service subscriptions that persist even after the app is deleted.

It can sometimes be impossible to trace an ad back to its source. Ad content providers represent a combination of legitimate businesses, hackers, scammers, and other entities. In order to have their ads pushed through the system, they must be able to create an ad that meets the visual requirements. These advertisers must also have a contract to pay the ad network for managing the distribution of their content. These funds ultimately trickle through the system, paying the ad network operators, the ad framework developers, and the app developers.

A closer look at one app

Our researchers documented the connections made from one of these ad-enabled applications titled ‘Get Free Fans for tik, Followers & Likes for Tok’’ (which we will refer to as “the fans app” for convenience) and found that many of the network connections made were to sites that had been identified as hosting malicious content. These domains were cross-referenced with VirusTotal to validate Wandera’s findings. Note: this app has since been removed from Google Play.

Wandera’s researchers tested how the fans app performed and how ads changed based on location and discovered the app behaves differently when a VPN isn’t active.

While testing the fans app without a VPN turned on, the app is relatively harmless. With the VPN on, we observed the following behavior:

  • When the user clicks one of the presented options on the home page, the full-screen splash ad appears.
  • The whole splash screen is a trigger. Except for the almost invisible “No thanks” button at the bottom.
  • A ‘y0utube’ scam is triggered with an “allow to watch” button which is just a lure to confuse the user into pressing “allow” in order to gain push notification permission. There is never a video played.
  • The user’s device is then flooded with push notifications containing ads, inappropriate content such as pornography, links to third-party app stores, malware disguised as anti-virus software, and more.

Where’s the smoking gun? We don’t know

Since our research into the ad framework began, 699 apps were identified to contain the ad framework and 47% of those apps have been, subsequently, removed from the Play store; this is a significantly higher percentage than what we see in other application hosting environments. That seems to indicate that the app store maintainer — in this case, Google — goes for the nearest throat to choke. In our analysis, that turns out to be the app developer, even though they most likely did nothing wrong.

Below are the 10 most popular Android apps that Wandera identified as having the ad framework embedded and are being utilized by real enterprise workers within its global customer base. Note that the reported downloads are from the time of our original research; some apps may now report higher download counts.

Package Name App Name Number of downloads at time of research 
com.apusapps.launcher APUS Launcher Pro- Theme, Live Wallpapers, Smart 100,000,000 
fahrbot.apps.undelete Undeleter Recover Files & Data 10,000,000 
com.bariskaplan.citycardriving City Car Driving 10,000,000 
com.extremefungames.mototrafficrace Moto Traffic Race 10,000,000
com.extremefungames.mototrafficrace2 Moto Traffic Race 2: Multiplayer 10,000,000 
net.rention.mind.skillz Skillz – Logic Brain Games 10,000,000 
com.mastercomlimited.cardriving_t Drive for Speed: Simulator 10,000,000 
com.mega_mc.mcpeskinstudio Skins for Minecraft 10,000,000 
com.crazylabs.myemmafull My Emma 🙂 10,000,000 
com.balysv.loop ∞ Infinity Loop ® 10,000,000 

Recommendations

It’s very difficult as a user to vet the ads displayed in applications. As we have demonstrated above, once the ad infrastructure is there, there is no way to control what is presented and how and when it is displayed. We recommend the following steps to reduce the negative impact of harmful advertising practices:

  • Avoid downloading free apps where possible. Free apps are more likely to use aggressive advertising techniques for monetization.
  • Always check user reviews for signs that other users may be dealing with aggressive, dangerous or inappropriate ads.
  • Use a security solution that can:
  • Detect malicious network traffic that may be coming from ads
  • Block command and control communication while allowing apps to continue running
  • Block ads to minimize disruptions
  • Monitor for phishing scams that may be embedded in ads
  • Identify and flag known-bad apps that contain bad ads
  • Restrict access to third-party app downloads
  • Analyze apps based on risk factors