New York cyber-security company GeoEdge has uncovered a global-scale malvertising attack, which is the first ad-based cyber crime aimed specifically at home-network-based IoT devices.

Working with the company’s adtech partners InMobi and Verve Group, GeoEdge’s security researchers identified both the attack vector as well its origins from bad actors in Slovenia and Ukraine.

GeoEdge’s security research team has been investigating the malvertising attack on smart home IoT devices since mid-June 2021. The widely distributed attack vector is the first to use online advertising to install apps silently on home-wifi-connected IoT devices, and only requires that hackers possess a basic understanding of device API documentation, some JavaScript knowledge and rudimentary online advertising skills.

Market research firm IoT Analytics forecasts more than 30 billion IoT device connections worldwide by 2025, making home and industrial IoT an extremely attractive and vulnerable frontier for malvertisers.

“GeoEdge’s patented behavioural code analysis technology and advanced malware detection capabilities detected these online ads covertly injecting malware into smart-home IoT devices,” said GeoEdge CEO Amnon Siev. “With the collaboration between InMobi and Verve, we exposed the origin, infrastructure and global scale of these attacks. This joint mission is built on trust and a deep understanding of the threat landscape which has enabled us to create a new standard for user protection.”

Malvertising, or malicious advertising, spreads malware through the injection of malicious code into online display ads via online advertising networks, exposing user networks and connected devices to the potential risk of infection. Advertising networks are generally unaware they are serving malicious content and, in the cases discovered by GeoEdge, users targeted with the attack aren’t even required to click on the infected ad or navigate to a malicious page to initiate the attack on home network devices.

“Digital advertising continues to capture a larger share of marketing budgets for companies large and small and as with that growth comes potential risks,” said Kunal Nagpal, senior vice president at InMobi. “It is critical that we have the checks and balances to identify and contain potential malicious threats before they can infect users’ devices. Our collaboration with GeoEdge enhances user protection across the advertising ecosystem through advanced real-time detection, ensures the delivery of safe ads to our global partners and helps us maintain quality and user trust.”

The impacts of the broad IoT attack revealed in GeoEdge’s research include the ability to manipulate IoT devices, download apps without users’ consent, and risk theft of personal information and monetary instruments as well as tampering with home systems such as smart locks and surveillance cameras. To block such attacks, GeoEdge says antivirus apps and even firewalls are not sufficient, making it necessary to block infected ads continuously in real time to prevent them from being rendered and presented to users.

“As we work to maintain a clean and transparent ecosystem, the ad security landscape constantly evolves, introducing new cyber-security risks which require innovations,” said Pieter de Zwart, VP of engineering at Verve Group. “We are committed to ensuring a safe advertising experience and partnering with key industry players enables us fulfil that mission.”