The FireEye researchers claim that InMobi requested user consent for actions through these methods, except for the makeCall one. "If an app has the Android permission CALL_PHONE, and is using InMobi versions 3.6.2 to 4.0.2, an attacker over the network (for example, using Wi-Fi or DNS hijacking) could abuse the makeCall annotation in the app to make phone calls on the device without a user's consent -- including to premium numbers," the FireEye researchers said.
InMobi added a consent requirement for makeCall actions in version 4.0.4 after FireEye notified the company of the issue, the researchers said. However, there are still many apps on Google Play that use older and vulnerable versions of this ad library, they said.
"We have identified more than 3,000 apps on Google Play that contain versions 2.5.0 to 4.0.2 of InMobi -- and which have over 100,000 downloads each as of December, 2013," the researchers said. "Currently, the total download count for these affected apps is greater than 3.7 billion."
A fake lottery-related message, a free coupon or some other kind of offer injected into the WebView could be used to mislead users into clicking the consent button, Tao Wei, senior staff research scientist at FireEye, said via email. HTTPS with correct certificate verification would provide better protection than HTTP, he said.
Sign up for CIO Asia eNewsletters.