Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor (be it the app developer or the SDK creator) to remotely command the app to perform the following actions:
In our investigation, we found that not all SDKs provided by Vpon enable the above capabilities – only the SDKs that are integrated with another ad platform aggregator, AdsMogo. AdsMogo not only functions as a standalone ad serving platform, but also provides the unification of a dynamic list of third party ad SDKs such as Inmobi, Youmi, Millenial Meida, Tapjoy, Vungle, etc. The implementation allows the participating ad SDKs to integrate behaviors that are not advertised in their standalone offerings.
We found a total of 36 apps that have the risky version of Vpon SDK integrated with AdsMogo platform. These apps are still available in the App Store as of May 25, 2016. According to Vpon’s changelog for iOS, the latest version at the time of posting is 4.5.1.
However, throughout the changelog, there is no mention of the use of Cordova plugins. Our investigation indicates that Cordova plugins have been used starting with version 4.2, when a major build took place. This has persisted through all subsequent releases.
Figure 1. A high-level view of the Cordova
Source: Apache Cordova under Apache License
Vpon implemented its own plugin that encapsulates all the existing open source plugins. This is not exposed to the developer in its standalone releases of the SDK, therefore, developers could not hook the functionality into their apps. However, AdsMogo provides a software adapter that allows Vpon SDK provider to conceal the plugin initialization and ad rendering. When an app developer integrates Vpon through AdsMogo provided interface, all the plugin capabilities are enabled within the app.
An iOS plugin is implemented as an Objective-C class that extends the CDVPlugin class. For Vpon SDK, this Objective-C class is VponCDVPlugin, which is further extended by the plugin implementation shown in Figure 2.
Figure 2. A list of plugin implementations in Vpon’s Cordova Plugin
For the Vpon SDK, the embodiment of this view controller class is VponCDVViewController. Special setup and configuration was performed when an instance is instantiated. Figure 3 shows a subset of methods it has, as well as a look into one of its functions [VponCDVViewController webView:shouldStartLoadWithRequest:navigationType:].
Figure 3. Vpon Cordova plugin’s implementation of entry point view controller CDVViewController
VponCDVViewController is never directly instantiated and added to the host app’s view controller hierarchy, but rather is dependent on the instantiation of many of its child implementations, VponPhoneGapViewController. Figure 4 shows the parent and child relationship of these two view controllers.
Figure 4. VponCDVViewController is the parent of VponPhoneGapViewController
Furthermore, VponPhoneGapViewController is the parent of the following view controllers, as shown in Figure 5.
Figure 5. VponPhoneGapViewController is the parent of the list of UIViewController implementations
To better illustrate the workflow of Vpon Cordova plugin, let’s focus on one of the UIViewController implementations. A VponAdViewController instance is created and set into operation in a series of method invocations started when the Vpon SDK is activated through AdsMoGoAdapterVpon, an adapter implementation of the Adapter interface provided by AdsMoGo platform. The sequence of invocations is depicted in Figure 6.
Figure 6. Sequence of invocations that illustrates the integration of Vpon and AdsMoGo
Figure 7 displays the content of [VpadnBanner sendRequestGetAd] with the highlighted area showing the initialization of the child view controller implementation of VponCDVViewController .
Figure 7. The implementation of [VpadnBanner sendRequestGetAd] with the instantiation of VponCDVViewController
When VponAdViewController is used to open a video Ad through [VponAdViewController openVideoAd:], it effectively creates an instance of the VponVideoWebViewController and renders the remotely retrieved video content.
The capabilities that are beyond the realm of ad serving in Vpon are manifested by the plugin implementations. Each capability is supported by an implementation of an open source Cordova plugin. Figure 8 shows the full set of commands supported by vpadn-sdk-i-v4.2.16: the latest as of March 28, 2016, which is the required plugin mapping for a custom Cordova plugin.
Figure 8. Vpon Cordova Plugin Mapping
For those who are interested in knowing more about Cordova Plugin development, please refer to Apache’s plugin development guide.
Figure 9. Vpon’s implementation of the media capture plugin
According to Cordova’s documentation on the media capture plugin shown in Figure 10, the utilization should always be accompanied by a UI control that allows the user to accept or deny. While the OS prompts the user for granting the access to the microphone the first time it is going to be used by the app, it is not sufficient in raising the user’s suspicion if the host app provides functionalities that require legitimate access to the microphone.
Figure 10. Apache documentation on the media-capture plugin
Listing 1. Content of file http://m.vpadn.com/sdk/vpadn-sdk-a-core-v1.js
Listing 3. PoC exploit
This is the functional equivalent to the following execution in cycript within a running app embedded with the malicious Vpon SDK, as shown in Figure 14.
Figure 14. Activate device microphone for voice recording through Vpon’s undisclosed Cordova plugin in Cycript
The subsequent execution of the above cmd resulted in a stealth recording saved to the Documents directory within the app sandbox.
While we did not capture real network traffic during our investigation that proves a perceived wrongdoing, we see no justification for an ad platform provider, such as Vpon, to have the code ability to use the microphone for voice recording, use the camera for taking pictures and recording videos, access the address book, manipulate the app sandbox, and perform other behaviors.
The current setup offers opportunity to two types of potential malicious actors who can profit from the developers and the app users.
Following our responsible disclosure guidelines, we contacted Apple and Vpon respectively on May 10, 2016. Apple acknowledged the findings, but offered no further feedback. Vpon did not respond when we reached out.