Israel’s GeoEdge, a provider of ad verification and transparency solutions for the online and mobile advertising ecosystem, claimed to have discovered the first ad-based cyberattack aimed specifically at home-network based IoT devices. The attack is said to be the first to use online advertising to secretly inject malware into the devices. The malware reportedly has the ability to tamper with home systems, download apps without user consent, and steal personal information and monetary instruments, among others.
Working in cooperation with the company’s AdTech partners InMobi and Verve Group, GeoEdge’s security researchers identified both the attack vector as well its origins from malicious actors in Slovenia and Ukraine, the company said.
GeoEdge’s security research team has reportedly been investigating the malvertising attack on smart home IoT devices since mid-June. The attack is the first to use online advertising to secretly install apps on home-WiFi-connected IoT devices, and only requires that hackers possess a basic understanding of device API documentation, some JavaScript knowledge and rudimentary online advertising skills, according to the company.
“GeoEdge’s patented behavioral code analysis technology and advanced malware detection capabilities detected these online ads covertly injecting malware into smart-home IoT devices,” said GeoEdge CEO Amnon Siev. “With the collaboration between InMobi and Verve, we exposed the origin, infrastructure and global scale of these attacks. This joint mission is built on trust and a deep understanding of the threat landscape which has enabled us to create a new standard for user protection.”
“Malvertising,” or malicious advertising, spreads malware through the injection of malicious code into online display ads via online advertising networks, exposing user networks and connected devices to the potential risk of infection. Advertising networks are generally unaware they are serving malicious content, and in the cases discovered by GeoEdge, users targeted with the attack aren’t even required to click on the infected ad or navigate to a malicious page to initiate the attack on home network devices, GeoEdge said.
“Digital advertising continues to capture a larger share of marketing budgets for companies large and small and as with that growth comes potential risks. It is critical that we have the checks and balances to identify and contain potential malicious threats before they can infect users’ devices,” said Kunal Nagpal, SVP and GM, Publisher Platform and Exchange at InMobi.
GeoEdge’s research found that the secretly-injected malware has the ability to manipulate IoT devices, download apps without user consent, steal personal information and monetary instruments as well as tamper with home systems such as smart locks and surveillance cameras. Antivirus apps and even firewalls are not enough to block such attacks, making it necessary to continuously block infected ads in real time to prevent them from being presented to users, the company said.
“As we work to maintain a clean and transparent ecosystem, the ad security landscape constantly evolves, introducing new cybersecurity risks which require innovative solutions,” said Pieter de Zwart, VP of Engineering at GeoEdge partner Verve Group.