2 min read

Malicious SDK Spies on iPhone Users and Steals Ad Revenue, Researchers Claim

Filip TRUȚĂ

August 25, 2020

Malicious SDK Spies on iPhone Users and Steals Ad Revenue, Researchers Claim

Security researchers have uncovered malicious behavior in a software development kit (SDK) used by over 1,200 apps in Apple”s App Store, with a combined monthly user base of approximately 300 million. Researchers claim the SDK steals ad revenue and exfiltrates user data to servers controlled by its developers.

Dubbed “SourMint” by Snyk researchers, the SDK is provided by Chinese mobile ad platform provider Mintegral. It allegedly contains malicious code that can spy on user activity by logging URL-based requests made through apps that have it baked in for ad monetization.

“This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information,” Snyk researchers explain in a blog post. “Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application.”

Mintegral allegedly uses two methods to steal revenue from competing ad networks. By claiming attribution for clicks that did not occur on a Mintegral presented ad, the SDK can steal advertiser revenue that should have gone to the other ad networks.

“This seems to be the main goal of this malicious functionality,” the researchers argue.

The second method is less direct. The research team argues that the developer or mediator SDK may notice that Mintegral is performing better than other ad networks, causing positive bias toward Mintegral. Furthermore, competing ad networks can lose revenue even when Mintegral isn”t used to serve ads, as the malicious code intercepts the clicks even if the service isn”t enabled to serve ads.

“In this case, ad revenue that should have come back to the developer or publisher via a competing ad network will never be paid to the developer,” according to the researchers.

The Mintegral SDK”s malice apparently goes even deeper. It allegedly also contains several anti-debug protections to hide its true purpose.

“In the code, there is a particular routine that attempts to determine if the phone was rooted and if any type of debugger or proxy tools are in use. If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors. This may also help the SDK pass through Apple”s app review process without being detected,” the team notes.

The full research is available here. Researchers also provide what they believe is compelling evidence that the SDK exfiltrates more data than it should, potentially including personally identifiable information. The research also includes technical exploit details and remediation.

Of note, Mintegral offers the SDK to Android developers as well. However, according to the Snyk team, the malicious code is only present in the iOS version of the SDK.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Romance scammers arrested in Texas for defrauding elderly lonely hearts Romance scammers arrested in Texas for defrauding elderly lonely hearts
Graham CLULEY

September 28, 2021

3 min read
iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find
Silviu STAHIE

September 27, 2021

1 min read
Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement
Silviu STAHIE

September 27, 2021

1 min read