A piece of mobile malware has been discovered that is said to have infected tens of thousands of iPhones and iPads in an effort to help its masters make a profit.
The mobile threat, called iOS/AdThief and also known as Spad, was first reported by Claud Xiao in March. Fortinet researcher Axelle Apvrille recently published a paper providing a detailed description of the threat’s implementation and some information on its developer.
AdThief, which works only on jailbroken devices, is designed to hijack revenue from advertisements by implementing a Cydia Substrate extension. Once it infects a device, the malware modifies the developer ID in the advertisement SDKs used by installed applications so that whenever an ad is displayed or clicked, the revenue goes to the cybercriminals instead of the app’s creators.
“Cydia Substrate, which only works on jailbroken devices, is a platform for modifying existing processes. It provides an API to hook the legitimate functions, and you can add your own tweaks. This is exactly what the malware does: it hooks various advertisement functions and modifies the developer ID (a.k.a. promotion ID) to match that of the attacker,” Apvrille wrote in her paper.
The threat targets a total of 15 adkits, which have been identified by researchers because debugging information was not removed by the malware authors. The list of adkits includes YouMi, Vpon, MobClick, AdSage/MobiSage, MdotM, InMobi, AdWhirl, Google Mobile Ads SDK, AderMob, Weibo, and Poly SDK. While most of them are Chinese, some of them are developed by companies based in the United States and India.
By infecting more than 75,000 devices running iOS, cybercriminals have managed to hijack an estimated 22 million ads, Xiao said on his blog.
In addition to helping researchers identify the targeted adkits, the debugging information also helped track down one of the creators of AdThief. The clues left behind in the code led researchers to a Chinese hacker who specializes in mobile platforms. The individual, known online as “Rover12421” and “zerofile,” has admitted writing the code for replacing developer IDs in advertisement SDKs, but he claims someone else picked up and improved the project. He denies being involved in the distribution of the malware.
The complete paper, “Inside the iOS/AdThief malware,” is available on Virus Bulletin.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
