FireEye security experts have recently discovered a malicious version of Vipon advertising SDK providing support for intrusive commands which allows a remote third-party to manipulate iOS devices
The advertising SDK Vipon has been provided for Chinese and Taiwanese developers. The main purpose of the SDK is to simplify the process of embedding Vpon adverts in iOS applications. Vipon SDK was created via Apache Cordova, which is a mobile development framework for developing mobile applications using modern technologies like HTML5 and JavaScript.
The security company FireEye reports that Vpon SDK contains functions which allow cyber gangs to record audio or video, take screenshots of an iOS device’s screen, get device geolocation data, access the address book, interact with apps, and even steal and upload data from the device to a remote server after that. According to FireEye, the above-mentioned functions are implemented via Apache Cordova plugins, however, the same functions are disabled in the final version of the SDK, thus developers can’t access them.
Nevertheless, despite Vpon’s protection measures, there is still a place where developers can gain an access to these functions. Developers can get an untethered version of the SDK via the AdsMogo service, an aggregator for various advertising SDKs.
By now, the security researchers from FireEye have detected 36 applications on the official App Store which use the Vpon SDK offered through AdsMogo.
These applications can be exploited via a simple command delivered via an ad’s JavaScript code. The vulnerable app where this ad is embedded reads the ad’s JavaScript files using the Vpon SDK, which translates this code into a malicious action based on its internal routines. After that, the Apache Cordova plugins translate these JavaScript commands to Objective-C code, acting as an intermediary.
Fire Eyes stated that the company has not detected any exploitation attempts via this SDK, however, Apple has failed to remove the reported applications. The security company also says that Vpon has remained unresponsive to all of its contact attempts and the intrusive functions are still present in its SDK, even if they are limited in the official version.
Due to the fact that the SDK carries out communications via HTTP, the hacker doesn’t necessarily have to be in command of Vpon’s servers, though he can run simple MitM scenarios and deliver malicious instructions to nearby devices.
“A third party ad library provider, Vpon, is stowing aggressive and risky code ability into the apps that adopt it as an ad-serving platform,” FireEye’s Jing Xie and Jimmy Su stated. “Third party libraries – ad libraries in particular – are often unvetted by the community. It is common and expected that app developers will integrate third party libraries into their apps, so developers should exert caution.”
In 2015, security experts discovered similar advertising SDKs, though these were for Android OS.
