In a study of 100,000 apps in the official Google Play market, researchers at North Carolina State University reported more than half contained so-called ad libraries, and hundreds of the apps included aggressive ad libraries that could download and run code from remote servers.
"Running code downloaded from the Internet is problematic because the code could be anything," computer scientist Xuxian Jiang said. "For example, it could potentially launch a 'root exploit' attack to take control of your phone -- as demonstrated in a recently discovered piece of Android malware called RootSmart."
To generate revenue, many free apps incorporate "in-app ad libraries" provided by Google, Apple or other third-parties that retrieve advertisements from remote servers and run the ads on a user's smartphone. Every time an ad runs, the app developer receives a payment.
The problem arises because ad libraries receive the same permissions the user granted to the app itself when it was installed, regardless of whether the user was aware of granting permissions to the library.
Jiang said some apps use libraries "that made use of an unsafe mechanism to fetch and run code from the Internet -- a behavior that is not necessary for their mission, yet has troubling privacy and security implications."
Hackers could use the libraries to bypass existing Android security efforts, he said, since the app itself may be harmless and won't trigger any security concerns -- but its ad library may download harmful or invasive code after installation.