Mobile Ads Can Be Weaponized to Track Desired Users for Less Than $1,000

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
User targeting capabilities provided by mobile advertisers can also be abused to track users with an accuracy of 8 meters and for a budget of $1,000 or less.

These are some of the conclusions of a comprehensive study of the mobile advertising landscape carried out by a team of three researchers from the Security & Privacy Lab at the University of Washington.

Mobile advertising networks can be abused for user surveillance
Researchers discovered that mobile networks provide user targeting capabilities so accurate and finely tuned that a threat actor could abuse these tools to track down individuals fitting a certain pattern or to spy on known targets.

For example, an attacker could register for one of these services and set up to deliver ads only to a certain geographical area, such as the coordinates of a house in his local neighborhood.

Because the attacker bought ads, this also means he gets usage reports on how and when the ads were delivered for his recent purchase, in this case, the local house.

These reports don't only show when ads are clicked, but they also show when they're displayed, and in the case of mobile ads, on what apps and websites.

An attacker can use this technique to infer details about his target, such as the time of day when he's at home, his religious beliefs, sexual habits, medical conditions, or more. This data is not directly available through the report, but if the user often receives ads while visiting the website of a cancer clinic or inside an LGBT dating app, then the data speaks for itself in most cases.
Click to expand...

MAID can be abused for high-accuracy tracking
This type of tracking scenario relies on volatile and often inaccurate data like geographical coordinates or IP addresses. Researchers say that user tracking through mobile ads could be many times more accurate if the attacker discovers a user's MAID (Mobile Advertising ID), which is unique per user device.

The trick is that the MAID is not freely available, but researchers also argue that this isn't actually a big hurdle for attackers.

Threat actors can discover a target's MAID when the user clicks on an ad, by intercepting local unencrypted local WiFi network traffic, or by delivering ads with malicious JavaScript that collects the MAID even if the user doesn't click on the ad. Furthermore, in some cases, an attacker may be able to compute the MAID himself if he has access to various device specifications.

Once the attacker has the MAID, the accuracy of his tracking abilities can be increased many times over, and allow him to deliver even more targeted ads.
Click to expand...
 
  • Like
Reactions: XhenEd
You must log in or register to reply here.

Similar threads

JoeN
    • Like
New Update AdBlocker Ultimate MV3 Chrome extension
Replies
12
Views
800
Web Extensions
JoeN
JoeN
oldschool
    • Like
    • +Reputation
When privacy-preserving advertising measurement falls short
Replies
1
Views
328
Brave
bazang
bazang
Gandalf_The_Grey
    • Wow
    • Like
    • Thanks
Privacy News Report alleges that microphones on devices are used for "Active Listening" to deliver targeted ads
Replies
0
Views
1,767
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top