Mobile Ads Can Be Weaponized to Track Desired Users for Less Than $1,000

[LASER_oneXM]

User targeting capabilities provided by mobile advertisers can also be abused to track users with an accuracy of 8 meters and for a budget of $1,000 or less.

These are some of the conclusions of a comprehensive study of the mobile advertising landscape carried out by a team of three researchers from the Security & Privacy Lab at the University of Washington.

Mobile advertising networks can be abused for user surveillance
Researchers discovered that mobile networks provide user targeting capabilities so accurate and finely tuned that a threat actor could abuse these tools to track down individuals fitting a certain pattern or to spy on known targets.

For example, an attacker could register for one of these services and set up to deliver ads only to a certain geographical area, such as the coordinates of a house in his local neighborhood.

Because the attacker bought ads, this also means he gets usage reports on how and when the ads were delivered for his recent purchase, in this case, the local house.

These reports don't only show when ads are clicked, but they also show when they're displayed, and in the case of mobile ads, on what apps and websites.

An attacker can use this technique to infer details about his target, such as the time of day when he's at home, his religious beliefs, sexual habits, medical conditions, or more. This data is not directly available through the report, but if the user often receives ads while visiting the website of a cancer clinic or inside an LGBT dating app, then the data speaks for itself in most cases.

MAID can be abused for high-accuracy tracking
This type of tracking scenario relies on volatile and often inaccurate data like geographical coordinates or IP addresses. Researchers say that user tracking through mobile ads could be many times more accurate if the attacker discovers a user's MAID (Mobile Advertising ID), which is unique per user device.

The trick is that the MAID is not freely available, but researchers also argue that this isn't actually a big hurdle for attackers.

Threat actors can discover a target's MAID when the user clicks on an ad, by intercepting local unencrypted local WiFi network traffic, or by delivering ads with malicious JavaScript that collects the MAID even if the user doesn't click on the ad. Furthermore, in some cases, an attacker may be able to compute the MAID himself if he has access to various device specifications.

Once the attacker has the MAID, the accuracy of his tracking abilities can be increased many times over, and allow him to deliver even more targeted ads.