Potentially Unwanted Programs (PUPs) are often legitimate software that pose a risk to users’ privacy or systems. A reasonably secure–or privacy-minded–user may want to be informed of the presence of certain PUPs and in some cases remove them. One very common type of PUP is adware, which exists to make revenue through advertising. Some adware is merely annoying but others could ignore or violate a user’s privacy by collecting and transmitting sensitive information to others without the user’s consent. Adware is well-known in the PC world and is becoming more prevalent now on mobile platforms (due to the fact that more developers are able to distribute their own applications from a central source like the Android Market).
The recent PUP Toplank (a.k.a. Counterclank) is an example of how aggressive mobile advertising in the Android world can be. The basic installation behaviors may be bad enough for some users. For example, Toplank adds bookmarks and home-screen shortcuts and makes home-page modifications without adequately informing the user or gaining consent to do so. More disturbing is what it does after it is installed. Recently, during the analysis of suspicious live wallpaper available in the Android Market, I found an advertisement module similar to Toplank’s in the sense that, once the PUP executes, it adds a shortcut in the home screen without the user’s consent:
However, at the same time in the background the following sensitive information is sent to the remote server ad.leadboltapps.net:
In addition to the “normal” sensitive data (OS version, IMEI, geographical location, and phone number) collected by several mobile-advertisement SDKs, this PUP also collects and sends the IP address of the device (which could be internal if the device is connected via network address translation or external if it is using the mobile network). This information, along with the exact identification of the device with the IMEI, could represent a privacy violation to some users. In addition, the developer does not clearly state in the Android Market that the wallpaper is ad supported:
The developer offers an option in Settings to disable notification ads. However, even if the option is disabled, the data has already been leaked and the user can do nothing to stop it.
Adware for mobile devices is constantly evolving and becoming very aggressive, invasive, and even dangerous to our privacy. If you have enabled PUP detection (which is enabled by default), then McAfee Mobile Security for Android detects this adware as Android/LdBolt.A.