More than 1,200 iPhone and iPad apps, which are downloaded 300 million times each month, contain malicious code that secretly steals user data and redirects ads, according to an application security firm The malicious code is capable of, and may have been designed to, circumvent Apple's iOS app review procedures
In a new report released yesterday (August 24), Boston-based Snyk found that the Mintegral software development kit (SDK) for iOS, an in-app advertising framework developed in China, could be used by app users to request URL requests and request headers and discovered that either of them may contain personal information
"The scope of the data collected is greater than what is needed for legitimate click attribution," Snyk's Alyssa Miller wrote in a Snyk blog post yesterday
"The app also uses questionable coding practices to achieve this level of data access
Unfortunately, there is little iPhone or iPad users can do against this malware, which Snyk calls "SourMint"
It is not easy to determine from the user side whether an iOS app is using this particular ad SDK, as it is not possible to determine whether the app is using the SDK or notTom's Guide has reached out to Apple for comment and will update this article as soon as we hear back However, ZDNet reports that Apple has stated that there is no evidence that the Mintegral SDK is adversely affecting iOS users
Mintegral is just one of many ad SDKs in common use around the world, and many mobile apps bundle multiple SDKs to maximize ad revenue Mintegral also makes an SDK for Android apps, but Snyk stated that he could find no evidence of malicious activity by the SDKs on Android
The Mintegral SDK also commits ad fraud by hijacking ad requests from other ad frameworks and claiming them to be its own ad requests, thereby stealing revenue owed to other parties
"The Mintegral SDK can intercept all ad clicks (and other URL clicks as well) within an application," Miller wrote
"It uses this information to forge click notifications to attribution providers The forged notification makes it appear that the ad click went through their network, even though it may have been a competing ad network that delivered the ad"While ad fraud is illegal, it is not harmful to users per se However, logging of URLs may disclose unique identifiers embedded in the URL to Mintegral, and request headers may contain "authentication tokens or other sensitive information," Snyk said
Furthermore, it appears that the Mintegral SDK tries to hide this activity: "Upon finding evidence of being monitored, the SDK apparently modifies its behavior to hide its malicious behavior," Snyk writes
If the SDK detects that it is running on a rooted phone or that debugging software is being used, the malicious activity stops - both tools commonly used by security researchers
"This may also help the SDK get through Apple's app review process undetected," Miller noted
"Mintegral's attempt to hide the nature of the data being captured through both tamper-resistant controls and custom proprietary encoding techniques is reminiscent of similar features reported by researchers who have analyzed Tik Tok apps," Miller added
Comments