There is an Android advertising framework called Widdit that included up to 1,640 apps from Google Play and it exposes devices to some serious risks, researchers said.
Of the 1,640 applications initially identified by IT security firm Bitdefender, over 1,100 are now gone from the Android marketplace.
One of the issues behind Widdit is the malware requests a large number of permissions. The SDK integrated into Android apps is a downloader that retrieves the actual advertisement component.
A large number of permissions end up requested to make sure all the features integrated into future versions can run without any problems.
“These permissions are not necessarily used by the SDK, but requesting them ensures that anything introduced later in the SDK will work out of the box,” said Bitdefender’s Bogdan Botezatu.
Another issue behind Widdit is the SDK is capable of executing specific code in case the phone receives an SMS, when it reboots, when apps install or uninstall, when a call goes out, or when the Google CloudMessaging API ends up triggered.
When an application containing Widdit installs on a device, the SDK connects to the Web, checks for the latest version, and retrieves it as a JAR file.
Researchers experimented on how cybercriminals can abuse this. By setting up a rogue network with a proxy server that intercepts the update request from the Android application, they were able to launch a man-in-the-middle (MitM) attack and replace the legitimate JAR file with a malicious one capable of executing arbitrary code.
Widdit is not the only advertising SDK susceptible to such MitM attacks. Bitdefender researchers said they’ve successfully launched an attack against the Vulna/AppLovin framework as well.