A piece of mobile malware has been discovered that is said to have infected tens of thousands of iPhones and iPads in an effort to help its masters make a profit.
The mobile threat, called iOS/AdThief and also known as Spad, was first reported by Claud Xiao in March. Fortinet researcher Axelle Apvrille recently published a paper providing a detailed description of the threat’s implementation and some information on its developer.
AdThief, which works only on jailbroken devices, is designed to hijack revenue from advertisements by implementing a Cydia Substrate extension. Once it infects a device, the malware modifies the developer ID in the advertisement SDKs used by installed applications so that whenever an ad is displayed or clicked, the revenue goes to the cybercriminals instead of the app’s creators.
“Cydia Substrate, which only works on jailbroken devices, is a platform for modifying existing processes. It provides an API to hook the legitimate functions, and you can add your own tweaks. This is exactly what the malware does: it hooks various advertisement functions and modifies the developer ID (a.k.a. promotion ID) to match that of the attacker,” Apvrille wrote in her paper.
The threat targets a total of 15 adkits, which have been identified by researchers because debugging information was not removed by the malware authors. The list of adkits includes YouMi, Vpon, MobClick, AdSage/MobiSage, MdotM, InMobi, AdWhirl, Google Mobile Ads SDK, AderMob, Weibo, and Poly SDK. While most of them are Chinese, some of them are developed by companies based in the United States and India.
By infecting more than 75,000 devices running iOS, cybercriminals have managed to hijack an estimated 22 million ads, Xiao said on his blog.
In addition to helping researchers identify the targeted adkits, the debugging information also helped track down one of the creators of AdThief. The clues left behind in the code led researchers to a Chinese hacker who specializes in mobile platforms. The individual, known online as “Rover12421” and “zerofile,” has admitted writing the code for replacing developer IDs in advertisement SDKs, but he claims someone else picked up and improved the project. He denies being involved in the distribution of the malware.
The complete paper, “Inside the iOS/AdThief malware,” is available on Virus Bulletin.
