
Ad Vulna: Vulnerable and Aggressive Adware Threatening Millions - Sektor
http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html
======
johnvschmitt
This is why I'm really hesitant to use popular libraries like Flurry.

I'm making a kids game & really want to respect the kids' privacy. I can't
hand the keys to all that data & possible backdoors to some "free" third party
library & just trust they will play nice.

~~~
gtufano
After giving some thoughts on your same issue (customer privacy and security),
I moved on to use Piwik ([http://piwik.org/](http://piwik.org/) a well known
opensource analytics server) on a personal server. There are also native
libraries for mobile usage (I use PiwikTracker
[https://github.com/mattiaslevin/PiwikTracker](https://github.com/mattiaslevin/PiwikTracker)
for iOS and OS X). Less bell and whistles than Flurry, but definitely a more
controlled environment. ;)

~~~
vdaniuk
Piwik allows site owners to track and uniquely identify visitors using their
IP adresses. If I were concerned about my privacy I would trust Google more
than a random website owner. Just a point to consider.

~~~
gtufano
You can always identify your customers though your application without any
external library or effort. The point is that (your analytics provider) can
track you through all the apps using the library. This is a significant
difference, IMHO.

------
Amadou
They need a new term -- "Vulna" is just too close in sound and in look to
"vulva." Maybe it is on purpose to catch people's attention (it caught mine in
a near spit-take), but that would be a poor decision for anyone who wants to
be taken seriously.

~~~
lucian1900
That didn't even cross my mind. Perhaps it depends on language background?

~~~
imdsm
Natural English here and didn't occur to me either.

------
Sektor
I'm interested if anyone has been able to identify the library or spot any
clues other than the image from the article [http://www.fireeye.com/blog/wp-
content/uploads/2013/10/scree...](http://www.fireeye.com/blog/wp-
content/uploads/2013/10/screen.png)

~~~
jevinskie
I'm curious as to why FireEye chose not to disclose the library. What would
you call this kind of disclosure?

~~~
greenyoda
_" I'm curious as to why FireEye chose not to disclose the library."_

For the same reason that most responsible security researchers don't disclose
zero-day threats: to prevent people from exploiting them before they can be
fixed. In this case, they did notify Google, which can pull the compromised
apps out of their app store and notify the developers who've used this library
that they need to rewrite their apps.

------
fauigerzigerk
What kind of perverted joke is this? They're making grandiose claims about
severe security threats without telling us which library it is? This is pure
spam. I'm going to flag this nonsense.

~~~
hipsters_unite
That's what I thought, read all the way to the end and didn't even find out
what the actual threat was. Ridiculous.

------
barista
Key quote:

"We have analyzed all Android apps with over one million downloads on Google
Play, and we found that over 1.8% of these apps used Vulna. These affected
apps have been downloaded more than 200 million times in total."

------
gibwell
This must be a false report, because according to Eric Schmidt, Android is
more secure than the iPhone. There cannot be 200 million vulnerable downloads.

------
jtnadams
Typical Android

