Flawed Android app devkit puts users in danger of MitM attacks

In this age of prevalently free software and services, it’s difficult to make users pay for apps, and especially so in the Android ecosystem. Consequently, mobile app developers widely use software development kits (SDKs) to earn money.

But not all SDKs are the same – in fact, many are borderline malicious, seeking and taking advantage of permissions that have nothing to do with those needed by the app to do its work.

Among these is Widdit, an advertising framework that it really a stripped-down downloader for the actual SDK, and which asks for all permissions it could need now or at some point in the future, such as permission to disable the lock-screen, or record audio.

“When the user starts the application, it connects to the Internet and checks the latest version of the SDK, then fetches it – a JAR file – from the web,” explains Bitdefender senior e-threat analyst Bogdan Botezatu.

“The SDK can also execute specific code when one of the following events is detected on the phone: when the phone has rebooted, when it receives an SMS, when a call is placed, when an application is installed or uninstalled or when an intent occurs from the GoogleCloudMessaging API.

But the danger it presents to the users does not end up here. As it turns out, the Widdit framework downloads the aforementioned JAR file via HTTP (i.e. unencrypted traffic), and then does not even check whether the downloaded JAR is the right one.

Bitdefender researchers tested the possibility of an alternate, malicious JAR file being served via proxy when the downloader tries to fetch the original file. The result? “The application downloaded and ran the JAR file and executed the malicious code without objection, as it had been granted phone calling and SMS interception permission upon installation.”

Such a MitM attack can easily be executed in a real-world environment, especially when most mobile devices (and that includes those running Android) are more often than not connected to untrusted WiFi networks.

Bitdefender has already notified Google about some 1,640 apps on Google Play based on Widdit, and the company has already taken down 1,122 of them.

But, according to Botezatu, this is not the only framework vulnerable to MitM attacks – two of his colleagues have identified another one last month (Vulna/AppLovin framework), and have successfully mounted this type of attack against it.

What can you do to protect yourself from this danger? For one, you could carefully review the permission asked by each app you seek to install, and decide not to do it if the permissions are not essential to support its stated functionality.

And if you are not sure that you understand the implications of the permissions, you can try using mobile privacy software that will help you make an informed decision.