DENVER—When developers build mobile apps, they’re not only coding functionality, but they’re also dragging in third-party software development kits (SDKs) for ads, analytics and lots of things in between.
A big function of SDKs is to communicate with a central server to receive instructions and content, but researchers have found that many of these servers have long been abandoned with a healthy number of those domains available for purchase on GoDaddy and other registrars.
This presents a giant opportunity for attackers to scoop up these domains on the cheap and push malicious code to suddenly vulnerable Android and iOS devices.
“Hundreds of these SDK companies were startups existing at one time, but many of these startups died and no one is maintaining this infrastructure. A large part of this infrastructure is unmaintained,” said Zhi Xu, who along with Palo Alto Networks researcher Tongbo Luo exposed this area of concern during a talk at the Virus Bulletin International Conference. “If unmaintained, the apps including these SDKs will try to talk to the master server for instructions and get no response. As domains expire, attackers can take over these domains and infrastructure, and send malicious instructions and content.”
The researchers published a paper called “Beware! Zombies Are Coming” that not only explains the risks, but also quantifies the numbers of abandoned zombie domains. Researchers looked at 2.8 million Android APK samples, Xu said, that used 575,000 unique root domains. Of those, 65,000 currently do not respond and are considered zombies, he said, adding that 33,000 were available on GoDaddy.
The researchers also studied the behaviors of legitimate and malicious clients and their use of predefined protocols in communicating with a master server. They learned that these share fairly similar behaviors, with both interested in services such as telephony mangers, location services, SMS, account managers and more.
“It just depends on who controls the master domains to decide whether they will be good or bad,” Xu said.
“It’s important to understand that a legitimate SDK command and control infrastructure can be dangerous,” Xu said. “Before you give a verdict to an app, consider all of its components, including the SDK, in malware detection, especially if the C&C is unmanaged.”