Apple’s review of apps is complete, but it appears an advertising executive has cheated it. A leading software development kit (SDK) used to help app developers earn money from their apps hides malware and can steal your personal data. You read that right and the scale of the problem is frightening. In more than 1,200 iPhone apps, ads hide malware.
How bad could that really be?
Before we get into the detail of what this malware does, let’s take a look at the extent of the problem. Snyk says this malware has been hidden in the Mintegral SDK since July 2019, and this particular kit is very popular on iOS.
Over 1,200 popular apps. The worst outbreak I can remember so far was the Clicker malware that was found in 17 apps.
It is true. Over 1,200 apps in the App Store, representing approximately 300 million downloads per month, include the Mintegral SDK. Chances are, you have at least one app on your iPhone using the Mintegral SDK.
Steal clicks from other ad networks
An application security company, Snyk, recently discovered malicious code hidden in the Mintegral SDK. Mintegral is used by a large number of software developers to deliver advertising content to their iOS applications. Not only does Mintegral’s malicious code steal potential revenue from other ad networks, it also means that these money-generating ads are hiding malware.
According to Snyk, the main purpose of the malicious code is to deflect user clicks on in-app advertising. App publishers often use SDKs from multiple ad networks in their software. An advertising mediator optimizing the revenues of publishers by choosing the advertising network to use for each ad request. Mediators do this by analyzing the performance metrics of the different networks used and choosing the most favorable.
Mintegral is able to intercept each of those clicks on ads and URLs in the app. Then it forges a click notification to the attribution provider, making it look like the click is from the Mintegral network. In fact, it could be a competing ad network that served the ad the user clicked on.
Ads hide malware and leave a bitter taste
Snyk dubbed this malicious code SourMint, and he doesn’t just steal clicks from competing ad networks. The code in Mintegral is also capable of taking your personally identifiable information and sending it to a malicious hacker.
Anything that happens based on a URL request in a compromised application is captured by the Mintegral SDK. This means that the app captures the entire URL, which can have identifiers like usernames or other sensitive information. The capture can also include authentication tokens, the unique random number used to identify your device to the ad network, and even the IMEI of your iOS device.
In case it is not clear, the app is simply not supposed to be able to record this information.
How did it get past the app review?
Here’s the tricky part, because Apple’s entire app review process is supposed to prevent the kind of situation where ads hide malware. According to Snyk, a number of anti-debugging protections in the SDK appear to have been designed to prevent detection.
These prevent researchers from discovering the real behavior behind the app. If the SDK detects that the device is rooted and / or is using a debugger or proxy tool, it modifies the behavior of the app to hide malicious intent. So, not only do the ads hide the malware, but the malware hides itself from Apple’s app review process.
Does my app contain SourMint?
Unfortunately, no one has yet compiled a list of iOS apps exposed by SourMint. We know the Android version of the Mintegral SDK is unaffected, so it’s only iOS for now. Application editors can use a tool at Snyk technical analysis of SourMint to test their own applications for infection. You can also read the TLDR; malicious code, including examples of how the Mintegral SDK helps advertisements hide malware and divert clicks.