What happened was that MyFitnessPal uses what’s called “remnant ad inventory” to deal with excess ad capacity. “To address your question, this specific ad is being served to you through remnant ad inventory,” an Under Armor spokesperson told me. “We have seen similar instances in the past but in most cases users are able to navigate back to the app and nothing is downloaded to the phone,” the spokesperson said.
This means is that the app vendor was aware of the security hole in their software, but chose to do nothing about it thinking it wasn’t a big deal. However, the ability to hijack the app is apparently something new. Fortunately the MyFitnessPal folks did take some action.
“When these ads are reported, we act quickly to both identify the source and work with our remnant ad partners to block the ad from being served again,” the spokesperson said. “We have also implemented a secondary ad scanning solution to help address this situation and remove any malicious ads.”
So it appears that the MyFitnessPal app is being protected by some sort of security software, but we’ll see how effective it is.
On June 1 Under Armour issued a formal statement to eWEEK about its efforts to protect mobile device users from malware-infected ads.
"Under Armour is committed to providing the best consumer experience possible. We use automated solutions to monitor and prevent questionable ads from being published and work with our publishing partners to screen ads before being served. We take these matters very seriously and immediately address all feedback regarding these types of ads."
However, this problem is common throughout the ad-supported app industry. App vendors set up an automated process to get ads and then serve them to users. Since it's totally automated, there’s little if any oversight. Whatever shows up through the ad network is what gets served, with little to no supervision.
While Under Armour and MyFitnessPal have clearly known about these malware laden ads, until now they haven’t done anything about them. Apparently, the fact that in the past they could be bypassed meant that they weren’t taken seriously. But this hands-off policy didn't consider app users who didn’t know how to bypass the malware or who thought it was somehow part of MyFitnessPal.
As bad as the lack of security awareness may be at Under Armour, they are not alone. Other ad-supported software, including iOS and Android apps, but also including apps for Windows and Macintosh computers are vulnerable to this type of attack.
While users with sufficiently advanced anti-malware protection will catch these attacks before they cause damage, it shouldn’t be left up to customers to find ways to defend themselves against the app vendor’s ad network.
In this instance, it appears that Under Armour took the necessary steps to fix the problem, although it should have been done when it was first noticed. But that’s just one app provider. What about the rest of the ad-supported industry? Is anyone else taking this threat seriously?
EDITOR'S NOTE: This article was updated to correct the spelling of Under Armour's corporate name and to add a new statement from the company asserting its commitment to protecting consumers from "questionable" advertisements.