AdMob Ad Revenue Hijacking

The AdMob advertising system by Google allows mobile app developers to monetize their applications through targeted advertising. As part of the ongoing research by Kindsight Security Labs, we wondered if the techniques used by malware authors to insert their malicious code into legitimate apps could be used to hijack this interface and steal ad revenue from the original app developers. Our tests have proven this to be true.

How It Works

1. The malicious user opens an AdMob account and creates a publisher ID.
2. They then download a copy of an AdMob monetized app and get access to the apk file.
3. They use reverse engineering tools to open the apk file, locate the original AdMob publisher ID in the app and replace it with the one that they created in step 1. This is often fairly trivial to do.
4. They repackage and sign the app.
5. They then distribute the modified app through various alternative markets.

When the app is run, everything operates as expected, however the “publisher ID” of the malicious user is now used in all communications with the AdMob system instead of the legitimate owner’s ID. Any ad revenue goes to the malicious user.

What App Developers Can Do

The key to the hijacking process is step 3. If it’s not easy to replace the original published ID, the attacker may move on to another, more vulnerable, app. The simplest way to make reverse engineering difficult is to use an “obfuscator” program such as ProGuard.

Google is aware of the issue and will treat any cases that are discovered as “click fraud” and disable the attackers AdMob account. However this doesn’t really help the victim, who will continue to lose revenue.

By Kevin McNamee, Kindsight Security Labs