Analysis and Research on channel advertisement SDK

Analysis and Research on channel advertisement SDK
0x00 background

This year's 3.15 gala on CCTV revealed that taoyoutech had inexplicably deducted fees for mobile phone users by pushing malicious programs, attracting high attention from mobile phone users.

360 the mobile security team analyzed and researched Dao advertising SDK. As of the end of March 2016, a total of 0.8 million application software had been embedded into Dao advertising SDK. From the monthly sample increase statistics, it can be seen that nearly 0.1 million applications had been included in the month of last year.

0x01 Advertisement form

On Tao youdao's official website, he introduced the display forms of its ad SDK, including interstitial ads, Banner ads, and application recommendation ads.

The interstitial advertisements displayed on its official website are embedded in the software. In fact, in its advertisement SDK development documents, plug-in advertisements can also be displayed outside the software, this is exactly the form of 3.15 exposure.

This form of external interstitial display infringes the user's right to know. the user does not know which app is the advertisement, and will directly download the promotion application wherever the screen is clicked, unless it is accurate? To close the advertisement. This kind of anonymous and out-of-app advertisement display not only easily results in traffic loss on users' mobile phones, but also affects the normal use of users' mobile phones, which is defined as malicious advertisements.

0x02 promotion

360 the mobile security team found that, in addition to normal software, a large number of malware, such as 3.15 of pornographic video malware, were found to be popularized using the taoyouad SDK. The trojan analysis reports we released earlier, "Moth" [1] and "worms" [2], spread and infect users' mobile phones with malicious software such as pornographic videos, and are difficult to clean.

The mobile advertising platform does not strictly review promotional applications. It has increased the spread of malware and has become an accomplice. This has eventually led to economic losses and privacy leaks for users.

0x03 evolution of confrontation

360 analysis by the mobile security team found that the taodao advertising SDK uses a combination of static and dynamic methods to continuously combat the soft features, thus avoiding soft removal.

1. Static confrontation

1.1 component name randomization

From the static point of view, we can compare the AndroidManifest of two similar Samples embedded in the SDK. xml file content, you can find that the declared activity and service names are randomly generated with no meaning, which is obviously different from the declaration method of normal software.

1.2 method and string Deformation

The methods and strings in the SDK are constantly changing to avoid soft static feature identification. The onKeyDown method is used as an example to show the changes of different versions.

The original version, method, and string are not encrypted.

The upgraded version. The strings in the method are encrypted with base64.

In subsequent versions, the hiding method is deepened, and the method name and string are saved in the configuration file.

1.3 hide core code

The core functions of the SDK are implemented by dynamically loading dex files, which is also a method to avoid soft static feature scanning. It uses local file release and code run release to hide its core code.

Parse the resource files under the assets Directory to obtain the loaded dex file.

Decodes and releases the binary code of the dex file during code execution.

2. Dynamic confrontation

** 2.1 URL change ** |

From a dynamic perspective, we use the timeline and different colors to show the URL changes of the ad network.

RED: almost all URLs start with "api", and are followed by "is", "cp", and "info" in different time periods. Green part: the end of the URL is "jsp", and there are obvious changes in confrontation from "init", "in" and "i1n2i3t4". The blue part: the intermediate part of the URL changes from "is" to "nis", from "_ B" to "_ tgb", and the yellow part: the starting part of the URL changes from "api" to "ai "; purple part: the URL ends with "wa. */bb "is changed to" ai. wa. */ia ";

The above URL changes are all against dynamic detection technologies such as sandbox.

0x04

The rapid growth of the mobile advertising market has led to the emergence of hundreds of mobile advertising platforms in China. They rely mainly on the integration of AD sdks in mobile apps to collect advertiser display fees for profit. 3.15 of mobile advertising platforms exposed are just a tip on the ice. These platforms are of different sizes and different sizes. The ad sdks they provide do not have a uniform industry standard, it brings certain risks and risks to mobile security.

360 the mobile security team found that the development threshold for developers to embed ad sdks is extremely low. In order to facilitate developers to embed advertisements on their own platforms, some advertising vendors even provide advertisement packaging devices, as long as the application is developed through the package, you can create an application embedded with the Platform advertisement.

The extremely low secondary packaging cost has helped increase the growth of pirated software to some extent. In the 360 Android mobile APP piracy survey report [3] published in 2015, it is pointed out that each genuine APP corresponds to 92.7 pirated apps on average.

With the help of the mobile app platform, advertising manufacturers have the responsibility to strictly review the security of their own promotional software, so as to avoid unnecessary calls and traffic loss caused by advertising to mobile users.

We recommend that you select a large trusted site, such as the 360 mobile assistant and various software official websites, when selecting an app download path. At the same time, install 360 mobile guard to scan and kill regularly.

0x05 references [1]: "Dancing moth" Trojan evolution report [2]: "brain worm" mobile phone virus analysis report [3]: 2015 Android mobile phone app piracy Survey Report