Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Mobile

    Advertising-Supported Apps Exposing Mobile Devices to Malware

    By
    Wayne Rash
    -
    June 1, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Mobile Malware

      Normally I don’t spend a lot of time worrying about malware on my iPhone. After all, Apple supposedly screens apps to make sure they are malware-free and iOS is allegedly resistant to malware.

      This is probably why I was shocked and annoyed when malware arrived, leaving me with the choice of accepting it or hoping nothing bad would happen if I left it alone while I uninstalled the app.

      I use the app in question, MyFitnessPal distributed by Under Armour, several times a day. But it’s not essential to my life or my business, so uninstalling it wasn’t a big deal. I just  went back to counting calories manually.

      I’d been using the MyFitnessPal for iOS for a couple of years because it allows me to track my food consumption easily. The app has a vast crowd-sourced database of food, and it has a bar-code scanner. Best of all, it integrates with the software for my Garmin fitness tracker, so I can track the calories used as well as the calories eaten.

      Like many apps, MyFitnessPal is advertising supported, and normally the ads are unobtrusive. But then, while I was recording the bagel and coffee I had for breakfast, a dialog box opened offering just one choice, which was “OK.” Further use of the app was impossible. Closing and reopening the app didn’t change anything.

      For that matter, shutting down the device didn’t change anything either. Every time I opened the app, I saw the box announcing download.prizesbook.online and telling me that I had a chance to win an iPhone 7. I knew that if I clicked on OK, my browser would be hijacked and my phone would then have malware from the site installed on my phone instantly.

      So, I did what any tech journalist would do. I took screen shots. Then I tried to find a way to report a malware infection to Apple and to the app maker. Turns out, you can’t. Apple apparently does not have a means to report malware that appears on an iOS device, apparently in the belief that it can’t happen. MyFitnessPal doesn’t have any obvious means of reporting a security problem either.

      Eventually, I was able to send emails to both companies reporting the malware, but it took two days for a response. Apple’s response was a form letter that provided nothing useful. Eventually the app maker provided a form for me to fill out, but nothing useful came of that, either. I was effectively stuck with the malware infested app, unless I removed it from my phone.

      What happened was that MyFitnessPal uses what’s called “remnant ad inventory” to deal with excess ad capacity. “To address your question, this specific ad is being served to you through remnant ad inventory,” an Under Armor spokesperson told me. “We have seen similar instances in the past but in most cases users are able to navigate back to the app and nothing is downloaded to the phone,” the spokesperson said.

      This means is that the app vendor was aware of the security hole in their software, but chose to do nothing about it thinking it wasn’t a big deal. However, the ability to hijack the app is apparently something new. Fortunately the MyFitnessPal folks did take some action.

      “When these ads are reported, we act quickly to both identify the source and work with our remnant ad partners to block the ad from being served again,” the spokesperson said. “We have also implemented a secondary ad scanning solution to help address this situation and remove any malicious ads.”

      So it appears that the MyFitnessPal app is being protected by some sort of security software, but we’ll see how effective it is.

      On June 1 Under Armour issued a formal statement to eWEEK about its efforts to protect mobile device users from malware-infected ads.

      “Under Armour is committed to providing the best consumer experience possible. We use automated solutions to monitor and prevent questionable ads from being published and work with our publishing partners to screen ads before being served. We take these matters very seriously and immediately address all feedback regarding these types of ads.”

      However, this problem is common throughout the ad-supported app industry. App vendors set up an automated process to get ads and then serve them to users. Since it’s  totally automated, there’s little if any oversight. Whatever shows up through the ad network is what gets served, with little to no supervision.

      While Under Armour and MyFitnessPal have clearly known about these malware laden ads, until now they haven’t done anything about them. Apparently, the fact that in the past they could be bypassed meant that they weren’t taken seriously. But this hands-off policy didn’t consider app users who didn’t know how to bypass the malware or who thought it was somehow part of MyFitnessPal.

      As bad as the lack of security awareness may be at Under Armour, they are not alone. Other ad-supported software, including iOS and Android apps, but also including apps for Windows and Macintosh computers are vulnerable to this type of attack.

      While users with sufficiently advanced anti-malware protection will catch these attacks before they cause damage, it shouldn’t be left up to customers to find ways to defend themselves against the app vendor’s ad network.

      In this instance, it appears that Under Armour took the necessary steps to fix the problem, although it should have been done when it was first noticed. But that’s just one app provider. What about the rest of the ad-supported industry? Is anyone else taking this threat seriously?

      EDITOR’S NOTE: This article was updated to correct the spelling of Under Armour’s corporate name and to add a new statement from the company asserting its commitment to protecting consumers from “questionable” advertisements.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×