Smut-slingers' malvertising allowed into Android apps, moan devs

Your next train is due in ... HOT VIDEO HERE!

dumb_and_dumber_648

Android apps that should be innocuous are pimping smut by way of slack supervision of their advertising networks, with two app authors complaining to The Register that the root of the problem lies with The Chocolate Factory.

The authors of two popular Sydney public transport apps told us Google's app monetisation service AdMob is failing to catch disallowed advertisements that should be easy to spot for the world-dominating ad-and-click network.

Malvertising is a rising problem because users are turning to ad blockers as a security precaution, both to protect against malware and to keep material they deem inappropriate out of their eyeballs. The latter outcome is made necessary by ads like those below, which The Register has observed in the Arrivo and TripView public transport timetable apps, both of which are likely to pop up on minors' phones.

TripView with smutty ad

The ad, as it appeared on TripView on the author's Android phone

Arrivo with smut ad

The same ad, on the Arrivo Sydney Lite bus timetable

The rotating ad rotates to a URL that on the face of it has nothing whatever to do with smut:

TripView with smutty ad #2

The ad rotates to display this URL ...

The URL it presents, Gradiant.com, is a company that presents itself as “a technology-driven water services company”, which would only seem peripherally connected to advertisements of an NSFW nature.

The "real" Gradiant Website

No pr0n to see here, folks

The ad also snuck past the filters of apps offered by Australian news publisher Fairfax:

In presenting a URL that's clearly not its own, the advertisement screamed “don't touch” to Vulture South. Since our Android security skills are limited, and we have no burner-phone handy on which to risk following the link, we left it there.

We did, however, approach security companies to ask whether they are aware of a new campaign this might be pushing to users; and also approached the authors of TripView and Arrivo to ask which ad networks are permitted to insert content into their apps.

Arrivo responded first, and managed to find and block the ad, saying it should not have gotten past the app's Google AdMob filter settings.

Tripview's author also pointed the finger at AdMob, and at the time of writing is trying to identify the advertiser.

We asked Google how and why such ads are making it past AdMob's guardians and were told ""We are aware of the issue and we are taking action to remove the ads from our network", but could and/or would not elaborate.

We will follow this story as more information comes to hand. ®

Bootnote: If, as it seems to this untutored eye, the ad got past filters by presenting its text as an image with extra space to defeat character recognition, Google deserves its backside kicked through all the letters of its Alphabet. Twice per letter, once per language. ®


Biting the hand that feeds IT © 1998–2017