Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

iOS Malware Hijacked Ad Revenue on More Than 75,000 Devices

A piece of mobile malware has been discovered that is said to have infected tens of thousands of iPhones and iPads in an effort to help its masters make a profit.

A piece of mobile malware has been discovered that is said to have infected tens of thousands of iPhones and iPads in an effort to help its masters make a profit.

The mobile threat, called iOS/AdThief and also known as Spad, was first reported by Claud Xiao in March. Fortinet researcher Axelle Apvrille recently published a paper providing a detailed description of the threat’s implementation and some information on its developer.

AdThief, which works only on jailbroken devices, is designed to hijack revenue from advertisements by implementing a Cydia Substrate extension. Once it infects a device, the malware modifies the developer ID in the advertisement SDKs used by installed applications so that whenever an ad is displayed or clicked, the revenue goes to the cybercriminals instead of the app’s creators.

“Cydia Substrate, which only works on jailbroken devices, is a platform for modifying existing processes. It provides an API to hook the legitimate functions, and you can add your own tweaks. This is exactly what the malware does: it hooks various advertisement functions and modifies the developer ID (a.k.a. promotion ID) to match that of the attacker,” Apvrille wrote in her paper.

The threat targets a total of 15 adkits, which have been identified by researchers because debugging information was not removed by the malware authors. The list of adkits includes YouMi, Vpon, MobClick, AdSage/MobiSage, MdotM, InMobi, AdWhirl, Google Mobile Ads SDK, AderMob, Weibo, and Poly SDK. While most of them are Chinese, some of them are developed by companies based in the United States and India.

By infecting more than 75,000 devices running iOS, cybercriminals have managed to hijack an estimated 22 million ads, Xiao said on his blog.

In addition to helping researchers identify the targeted adkits, the debugging information also helped track down one of the creators of AdThief. The clues left behind in the code led researchers to a Chinese hacker who specializes in mobile platforms. The individual, known online as “Rover12421” and “zerofile,” has admitted writing the code for replacing developer IDs in advertisement SDKs, but he claims someone else picked up and improved the project. He denies being involved in the distribution of the malware.

The complete paper, “Inside the iOS/AdThief malware,” is available on Virus Bulletin.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...