{“data”:{“Id”:”8XXX5?,”acceptLanguage”:”en”,”adPool”:0,”androidId”:”u1XXX…XXXug”,”bundleId”: “com.rovio.angrybirds”,…,”cookie”:[{“name”:”cu1XXX8″,”value”:”3XXX6+PM”},{“name”:”vw”,”value”:”ref=1XXX2&dgi=,eL,default,GFW”},{“name”:”lc”,”value”:”1XXX8″},{“name”:”iuXXXg”,”value”:”x”},{“name”:”cuXXX8″,”value”:”3%2XXXPM”},{“name”:”fXXXg”,”value”:”ref=1XXX712&crXXX8=2,1&crXXX8=,1″}], “crParms”:”age=30,androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0?”, “debugFlags”:0, “deviceId”:”aXXX…XXXd”, “encDevId”:”xXXX….XXXs=”, “encMAC”:”iXXX…XXXg=”, “ipAddress”:””,“mac”:”1XXX…XXX9?, “noTrack”:0,”placement”:””, “pubTargeting”:”age=30, androidstore=’com.android.vending’, customer=’googleplay’, gender=’FEMALE’, version=’4.1.0?”,”rvCR”:””, “type”:”iq”,”userAgentInfo”:{“Build”:”1.35.0.50370?, “BuildID”:”323?, “Carrier”:””,”Density”:”High”, “Device”:“AscendY300?, “DeviceFamily”:“Huawei”, “MCC”:”0?,”MNC”:”0?,…We can see the information transmitted to neptune.appads.com includes gender, age, android id, device id, mac address, device type, etc. In another PCap in which Angry Birds sends POST to the same host name, the IP address is transmitted too:HTTP/1.1 200 OK…POST /Services/v1/SdkConfiguration/Get HTTP/1.1…Host: neptune.appads.com…IpAddress”:”fXXX…XXX9%eth0?,…According to whois records, the registrant organization of neptune.appads.com is Burstly, Inc. Therefore, the aforementioned information is actually transmitted to Burstly. It Both PCaps contain the keyword “crParms.” This keyword is also used in the source code to put personal information into a map sent as a payload.Skyrocket.com is an app monetization service provided by Burstly. The following PCap shows that Angry Birds retrieves the customer ID from Skyrocket.com through an HTTP GET request:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlDate: Thu, 06 Mar 2014 07:12:25 GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBA #5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 2X-Stats: geo-0Content-Length: 9606Connection: keep-aliveGET /7….4/ad/image/1…c.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Host: cdn.skyrocketapp.comConnection: Keep-Alive{“type”:”ip”,”Id”:”9XXX8?,…”data”:[{“imageUrl”:”https://cdn.skyrocketapp.com/79…2c.jpg”,”adType”:{“width”:300, “height”:250, “extendedProperty”:80}, “dataType”: 64, “textAdType”:0,”destType”:1,”destParms”:””,”cookie”:[{“name”:”fXXXg”, “value”: “ref=1XXX2&cr1XXX8=2,1&cr1XXX8=1&aoXXX8=”, “path”:”/”, “domain”: “neptune.appads.com”, “expires”:”Sat, 05 Apr 2014 XXX GMT”, “maxage”: 2…0}, {“name”:”vw”,”value”:”ref=1XXX2&…},…,”cbi”:”https://bs.serving-sys.com/Burstin…25&rtu=-1″,”cbia”:[“https://bs….”:1,”expires”:60},…”color”:{“bg”:”0…0″}, “isInterstitial”:1} 2. In this PCap, the ad is fetched by including the customer id 1XXX8 into the HTTP POST request to jumptap.com, i.e. Millennial Media: HTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlDate: Thu, XX Mar 2014 XX:XX:XX GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBC #17X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 475X-Stats: geo-0;rcf88626-255;rcf75152-218Content-Length: 2537Connection: keep-aliveGET /img/1547/1XXX2.jpg HTTP/1.1Host: i.jumptap.comConnection: keep-aliveReferer: https://bar/X-Requested-With: com.rovio.angrybirdsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Accept-Encoding: gzip,deflateAccept-Language: en-USAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7{“type”:”ip”,”Id”:”8XXX5″,”width”:320,”height”:50,”cookie”:[],”data”:[{“data”:”<!– AdPlacement : banner_ingame_burstly…”,”adType”:{“width”:320, “height”:50, “extendedProperty”:2064 },”dataType”:1, “textAdType”:0, “destType”:10, “destParms”:””, “cookie”:[{“name”:”…”, “value”:”ref=…&cr1XXX8=4,1&cr1XXX8=2,1″, “path”:”/”, “domain”:”neptune.appads.com”, “expires”:”Sat, 0X Apr 2014 0X:XX:XX GMT”, “maxage”:2XXX0}, {“name”:”vw”,…, “crid”:7XXX2, “aoid”:3XXX3, “iTrkData”:”…”, “clkData”:”…”,”feedName”:”Nexage”}]}In this pcap, the advertisement is retrieved from jumptap.com. We can use the same customer id “1XXXX8” to easily track the PCap of different ad libraries.3. For example, in another PCap from turn.com, customer id remains the same:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlDate: Thu, 06 Mar 2014 07:30:54 GMTServer: Microsoft-IIS/7.5ServerName: P-ADS-OR-WEBB #6X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETX-ReqTime: 273X-Stats: geo-0;rcf88626-272Content-Length: 4714Connection: keep-aliveGET /server/ads.js?pub=24…PvctPFq&acp=0.51 HTTP/1.1Host: ad.turn.comConnection: keep-aliveReferer: https://bar/Accept: */*X-Requested-With: com.rovio.angrybirdsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; Ascend Y300 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Accept-Encoding: gzip,deflateAccept-Language: en-USAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7{“type”:”ip”,”Id”:”0…b”,”width”:320,”height”:50,”cookie”:[],”data”:[{“data”:”<!– AdPlacement : banner_ingame_burstly –> “https://burstly.ads.nexage.com:80…” destParms”:””, “cookie”:[{“name”:”f…g”, “value”:”ref=1…0&cr1XXXX8=k,1&cr…8=i, 1″,”path”:”/”, “domain”:”neptune.appads.com”, “expires”:”Sat, 0X Apr 2014 0X:XX:XX Earlier in month of September, 2013, reacting to news reports that Rovio had shared private user information with NSA and GCHQ under the world snooping programs, it had stated categorically that “does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world.” Now that too seems like a bitter truth which the Angry Birds users will have to swallow in order to kill the bad piggies.Resource : FireEye Blog
