![]() In some cases, this would allow an attacker sitting on the same network as those running the vulnerable ad code to take control over functions on the phone. This means they can access the camera, audio streams and other files on the phone, like email. In many cases, ad networks are allowing JavaScript to interact with the device over something called a native bridge. Security consultancy MWR InfoSecurity has uncovered similar problems in mobile ads and the related ad networks’ Software Development Kits (SDKs). ![]() The company’s researchers started tracking such techniques when they were used in a malvertising attack on a YouTube page, which was spreading malware again going through the Google advertising network DoubleClick. That could then be used to immediately redirect users to a malware-laden site or start attacking them straightaway. Looking at the Actionscript features within Adobe Flash, widely used by ad networks for delivering “dynamic” adverts, Bromium found it was possible to execute JavaScript within Firefox, Internet Explorer and Opera. Then there are the functions of ads themselves, the “powerful scripting capabilities” that could be put to malicious use if the ad network was compromised in some way, Bromium noted in its research. That’s partly because exploit kits look for similar information in web users’ computers when targeting them, such as operating system and browser types. Kashyup claimed hackers’ deployment of exploit kits - tools that throw a bunch of attack code at those who browse malicious sites - could be “outsourced” to the ad networks.
0 Comments
Leave a Reply. |