Apple’s review of apps is comprehensive, but it looks like an advertising framework has fooled it. One leading software development kit (SDK) used to help app developers make money from their apps hides malware the can steal your personal data. You read that right, and the scope of the problem is frightening. In more than 1,200 iPhone apps, the ads hide malware.
How Bad Could It Really Be?
Before I get into what this malware does, let’s look at the scope of the problem. Snyk says this malware has been hidden in the Mintegral SDK since July 2019, and this particular kit is very popular on iOS.
More than 1,200 apps popular. The worst outbreak I can recall until now was the Clicker malware that was found in 17 apps.
That’s right. More than 1,200 apps in the App Store, representing an estimated 300 million downloads per month, include the Mintegral SDK. Chances are quite good that you have at least one app on your iPhone using the Mintegral SDK.
Stealing Clicks From Other Ad Networks
An application security firm, Snyk, recently discovered malicious code hidden within the Mintegral SDK. Mintegral is used by a large number of software developers to deliver advertising content to their iOS apps. Not only does the malicious code in Mintegral steal potential revenue from other ad networks, it also means those money-generating ads hide malware.
According to Snyk, the main goal of the malicious code is to hijack user clicks on advertising within the app. App publishers often use SDKs from multiple ad networks in their software. An ad mediator optimizing the revenue for publishers by choosing which advertising network to use for each ad request. The mediators do this by analyzing the performance metrics of the different networks used, and picking the most favorable one.
Mintegral is able to intercept each and every one of those ad and URL clicks within the app. Then, it forges a click notification to the attribution provider, making it appear that the click came from Mintegral’s network. In fact, it might have been a competing ad network that served the clicked advertisement.
Ads Hide Malware and Leave a Sour Taste
Snyk has dubbed this malicious code SourMint, and it doesn’t just steal clicks from competing ad networks. The code within Mintegral is also able to take your personally identifiable information and send it to some nefarious hacker.
Everything that happens based on a URL request within a compromised app gets captured by the Mintegral SDK. This means the app captures the entire URL, which might have identifiers like usernames or other sensitive information. The capture could also include authentication tokens, the unique random number used to identify your device on the advertising network, and even your iOS device’s IMEI.
In case it’s not clear, the app simply ain’t supposed to be able to record that information.
How Did This Get Past the App Review?
Here’s the tricky part, because Apple’s extensive app review process is supposed to prevent the sort of situation where ads hide malware. According to Snyk, a number of anti-debug protections within the SDK look like they were designed to prevent detection.
These prevent researchers from ferreting out the true behavior behind the app. If the SDK detects that the device is rooted and/or using a debugger or proxy tool, it changes the app’s behavior to hide the malicious intent. So not only do the ads hide malware, the malware hides itself from Apple’s app review process.
Does My App Contain SourMint?
Unfortunately, nobody as yet has compiled a list of which iOS apps are exposed by SourMint. We do know that the Android version of Mintegral SDK is unaffected, so it’s iOS-only for now. App publishers can use a tool at Snyk’s technical analysis of SourMint to test their own apps for infection. You can also read the TLDR; of the malicious code, including examples of how Mintegral’s SDK helps ads hide malware and hijack clicks.
In an update to this story, Mintegral has denied the allegations in a press release.