Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Malicious Behavior Allegedly Found in Advertising SDK Used by 1,200 iOS Apps

Researchers at developer security company Snyk claim to have identified malicious behavior in an advertising SDK that is present in more than 1,200 iOS applications offered in the Apple App Store.

Researchers at developer security company Snyk claim to have identified malicious behavior in an advertising SDK that is present in more than 1,200 iOS applications offered in the Apple App Store.

The SDK has been developed by Mintegral, a China-based mobile advertising platform provider that has offices in the United States, Europe and Asia. Snyk says it has only identified the malicious behavior in iOS versions of the Mintegral advertising SDK; the code does not appear to be present in Android versions. The company estimates that the 1,200 impacted iOS apps are downloaded roughly 300 million times every month.

According to Snyk, its researchers discovered what they described as malicious code in versions of the iOS SDK going back to 5.5.1 (released in July 2019). The code on which they conducted their analysis was obtained from Mintegral’s official GitHub account.

Snyk says the SDK, which it has dubbed “SourMint,” can allow Mintegral to steal revenue from other ad networks used by applications integrating the SDK. In addition to ad fraud, it allegedly harvests URLs accessed through applications that use the SDK — as well as other system and device information — which could provide the vendor access to highly sensitive information, as demonstrated by Snyk in a video.

SecurityWeek has reached out to Mintegral for comment and will update this article if the company responds.

“Developers can sign up as publishers and download the SDK from the Mintegral site. Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app,” Snyk researchers explained. “This gives the SDK access to a significant amount of data and even potentially private user information. The SDK also specifically examines these open URL events to determine if a competitor’s ad network SDK was the source of the activity.”

The company has pointed out that this behavior appears to be intentional as the SDK looks for signs of a debugger and proxy tools before initiating these activities. This could be an attempt to determine if it’s being analyzed and possibly a method for bypassing Apple’s review process for applications published on the App Store, as it behaves differently if its actions are being watched.

Advertisement. Scroll to continue reading.

“As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and anti-debugging tricks,” said Danny Grander, co-founder and CSO of Snyk. “Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year.”

UPDATE: Apple says it has spoken with the Snyk researchers to ensure that it’s fully informed on the research, but the tech giant has found no evidence that apps using the Mintegral SDK are harming users.

The company says app developers are responsible for the behavior of their products, including the behavior of third-party code, and they should exercise caution when using third-party code to insure it does not accidentally undermine security and privacy.

On the other hand, Apple points out that the research conducted by Snyk shows that it’s possible for third-party code to introduce unintended functionality. The company says the type of behavior described by the researchers is all too common, which is why it has been taking steps to provide users more control over their data and ensure that apps are transparent regarding the data they collect.

UPDATE 8/25: Mintegral has issued a statement firmly denying the allegations. 

Mintegral practices have never conflicted with Apple’s terms of service or violated customer trust. Mintegral has ensured data would never be used for any fraudulent install claims and take these allegations very seriously.


To be fully transparent with the Mintegral SDK and practices, Mintegral encourages customers and partners to investigate this accusation through their independent data as well. It is confident that customers and partners will reach the same conclusions, that is, there is no fraud taking place.

The company’s full statement.

Related: Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

Related: Facebook Sues Chinese Company Over Ad Fraud

Related: Malware Framework Gathers 1 Billion Ad Impressions in 3 Months

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.