Mobile ads can hijack your phone and steal your contacts

@CNNMoneyTech July 18, 2012: 7:09 PM ET

NEW YORK (CNNMoney) -- Those pesky pop-up ads from the '90s are back, but this time they're holding your smartphone hostage.

Tens of thousands of smartphone apps are running ads from rogue advertising networks that change smartphone settings and take contact information without permission, according to a new study released Monday.

Aggressive ad networks can disguise ads as text message notifications or app icons, and sometimes change browser settings and bookmarks. Often, the ads will upload your contacts list to the ad network's servers -- information the ad network can then sell to marketers

Sounds scary? It's not a giant problem yet, but it's a growing one. As many as 5% of free mobile apps use an "aggressive" ad network to make money, according to Lookout, a San Francisco-based mobile security company.

With millions of mobile apps in stores, that small sliver adds up to a big number. The study found that 19,200 of the 384,000 apps it tested used malicious ad networks. Those apps have been downloaded a whopping 80 million times.

PhoneLiving was one of the most prevalent app developers to use these kinds of ad networks, according to Lookout -- their dozens of talking animal apps have been downloaded several million times.

PhoneLiving says it has mended its ways. The company acknowledged using invasive techniques to make money from its apps, but says it dropped those methods at the start of this month because of bad reviews and declining downloads.

"We have removed all of the notification/icon ads from all of our talking apps," a company spokesman said. "We have made this switch to benefit our users despite the lower profits involved in other types of ads."

The most popular type of apps that use aggressive ad networks are "personalization" apps, which include wallpapers. Comic, arcade and entertainment apps are also among the most likely to have rogue ad networks running behind the scenes.

Like aggressive pop-ups on PCs, the bad software isn't easy to shed. Though the damage can typically be reversed by deleting the app, it can be hard to pinpoint which app is causing the problems.

"Sometimes you download 10 apps at a time, so you don't know which is responsible," said Kevin Mahaffey, Lookout's CTO. "It's not unlike adware in the early PC days."

When developers create free mobile apps, they usually make money through ads displayed within the app. That free version of Angry Birds didn't cost you anything because of the pop-up ad that appears right as you're catapulting the red bird at its target.

The vast majority of ads run on well-known ad networks like Jumptap, Apple's (AAPL, Fortune 500) iAd and Google's (GOOG, Fortune 500) AdMob. They collect some information about their users, but they don't go to the extremes of uploading contact lists and changing settings.

The appeal of the ad networks that Lookout calls "aggressive" is that they generate more revenue for app developers.

Android ad network Airpush, for example, places ads in users' notification bars and home pages. That generates more clicks -- and more money for developers -- since even inactive users can view the ads.

Lookout has criticized Airpush in the past for being overly aggressive with its marketing techniques. Airpush remains the second-biggest ad network for Android devices.

Airpush gives customers the option of opting out of its push notification ads, and users are notified the first time they launch an Airpush-equipped app about the app's advertising methods. All of Airpush's ads include the name of the app transmitting the ad, the company says.

An Airpush representative says the company plans to move within the next two weeks to "an affirmative opt-in" system for its push notification ads.

App makers don't usually disclose what ad network they're using, which makes it hard to avoid the known offenders. The best defense is to read reviews and avoid downloading apps that have attracted a trail of complaints.

Lookout's Mahaffey says bad actors are more prevalent on Android phones than iPhones, because the Google Play app store has fewer restrictions and gatekeepers than Apple's iTunes app store.

But the iPhone isn't immune: Other ad networks Lookout considers aggressive include Moolah Media and Leadbolt, which publish apps for both Android and iOS.

Correction: A photo caption on an earlier version of this story incorrectly suggested that Airpush takes contact information from users' phones; the company does not. The story has been updated with a response from Airpush. Also, Lookout initally cited Mocean Mobile as an aggressive network, but later retracted that classification and called it an error. Mocean Mobile is an ad-serving platform, not an ad network.  To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.