Monday, October 31, 2016

Blocking Adwares on Android - Protect against malwares and privacy

According to Mcafee, "A company from India has released an advertising software developer kit (SDK) called SilverPush that uses your phone’s microphone to listen for near-ultrasonic sounds placed in TV, radio and Web advertisements. Once SilverPush detects the signal, it collects data from your device and sends information about your device back to the advertiser. While this is not a piece of malware, it is a huge concern from a privacy perspective. It collects personal information from your device, including, but not limited to:


• IMEI number (a unique number that identifies your phone)
• Operating system version
• Location
• Potentially the identity of the owner
• The user’s television, radio and Web behavior

SilverPush is not a standalone app, but is embedded as part of another application and typically runs without the user’s consent. If an application on your mobile device is detected as containing SilverPush, the best solution is to remove that application from your device."

I searched various mobile threats. Well zero days we can not protect and detect in advance obviously. So I tried to block all advertisements and here is the takeout.

We will require to install AdAway application. Unfortunately this application requires rooted device because it is directly interacting /etc/hosts file.

You must have got the idea what I am talking about. Yes we are going to add all advertisement websites names within our /etc/hosts files so that it will not be able to connect. Here is how.

What is /etc/hosts and what does it do?
The hosts file is one of several system facilities that assists in addressing network nodes in a computer network. It is a common part of an operating system's Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network. In some operating systems, the hosts file's content is used preferentially to other methods, such as the Domain Name System (DNS), but many systems implement name service switches (e.g., nsswitch.conf for Linux and Unix) to provide customization. Unlike the DNS, the hosts file is under the direct control of the local computer's administrator.

It means that the system will not do a DNS lookup for mydomain, it will be automatically redirected to the IP address you specified in your hosts file.

Target: Add all adblocker websites to your /etc/hosts files.
How and where to get all list: Adaway Application.

Scenario 1: Without advertisement blocking protection.

Currently your phone's default /etc/hosts file would look like below screenshot.


On most systems the default entry in the hosts file is:

127.0.0.1    localhost

127.0.0.1 is always the address of the computer you're on. For example, if you run a web server on your pc, you can access it from the web browser via the http://localhost:port instead of typing the whole IP address http://127.0.0.1:port.

So I can assume that any application, browser which will connect to any 3rd party advertisement company will be connected and work in silent mode without user's consent. What add companies takes user data, we are unaware.

For the demo purpose I am going to use 'SQLite editor' application. This application provides GUI access of each application's database. It is famous among pentester. Now this application comes in two versions. If we purchase it we will get add free version as this free version from playstore will contain advertisements within the application.


Now lets just use this application in normal way. You will observe that it will provide many adds while we use it.

Uber Add




Facebook add
"Now I am not sure why Facebook brand will give their add in small security related application lying on playstore which has nearly 10000+ users only. It can be phishy.."

Scenario 2: How to block contents using hosts file.

For the demo purpose I am adding facebook domain to my host file and giving ip 127.0.0.1. That means I am telling my mobile to not to look for DNS in order to resolve the IP from the domain name as I am telling that facebook's IP is 127.0.0.1. Now application and browser on my mobile device will try to connect to 127.0.0.1 thus by landing nowhere on the internet and this is how we will block facebook through host file.

Before moving foward, let me inform you that you can not simply edit host file as it has only read-only permission. 

Once we root the phone yes we have root access, but we can not edit content. For that we need to remount /system to be read/write access using following command.

$ adb shell

$ su

$ mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system

In case if you do not want to fall into this huddle, you can simply use "Root Browser" application to do this. Using root browser, you can navigate to whole system and edit files.

Now I am going to add facebook domain to hosts file as mentioned below.


After adding content click on save.

Now try to access m.facebook.com domain through chrome browser on your mobile phone.

Bingo!! We blocked.

Question: How to gather all add block websites and insert into hosts file.

Adaway in action

AdAway is an open source ad blocker for Android using the hosts file. It needs Android >= 2.1 and ROOT access.

It has all those advertisement domains categorized nicely for us at 


Install adaway. It is not available on playstore. Find and install.

Post installation you will see below screen.

Click on "Download files and apply ad blocking".




In my case, rebooting was not required. You can check if changes have been affected or not. Depending upon that you can reboot.


Post reboot, it will be enabled.

Now let us check our SQLite editor application. It will look like below screenshot. Add free :)


Now let us check our hosts file. It will look as below.


It has added so many domains within hosts file which are listed on


So now our majority of applications are add free. It will help us to protect our privacy as well as blocking mobile mawlares at certain levels. Rooted phone users must do it as rooting phone itself pauses many risks.

Reference:
  1. www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf 
  2. https://adaway.org/ 
  3. http://askubuntu.com/questions/183176/what-is-the-use-of-etc-hosts 
  4. https://play.google.com/store/apps/details?id=com.ksk.sqliteeditor&hl=en
  5. http://android-tricks.blogspot.in/2009/01/mount-filesystem-read-write.html 

No comments: