Researchers at developer security company Snyk claim to have identified malicious behavior in an advertising SDK that is present in more than 1,200 iOS applications offered in the Apple App Store.
The SDK has been developed by Mintegral, a China-based mobile advertising platform provider that has offices in the United States, Europe and Asia. Snyk says it has only identified the malicious behavior in iOS versions of the Mintegral advertising SDK; the code does not appear to be present in Android versions. The company estimates that the 1,200 impacted iOS apps are downloaded roughly 300 million times every month.
According to Snyk, its researchers discovered what they described as malicious code in versions of the iOS SDK going back to 5.5.1 (released in July 2019). The code on which they conducted their analysis was obtained from Mintegral’s official GitHub account.
Snyk says the SDK, which it has dubbed “SourMint,” can allow Mintegral to steal revenue from other ad networks used by applications integrating the SDK. In addition to ad fraud, it allegedly harvests URLs accessed through applications that use the SDK — as well as other system and device information — which could provide the vendor access to highly sensitive information, as demonstrated by Snyk in a video.
SecurityWeek has reached out to Mintegral for comment and will update this article if the company responds.
“Developers can sign up as publishers and download the SDK from the Mintegral site. Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app,” Snyk researchers explained. “This gives the SDK access to a significant amount of data and even potentially private user information. The SDK also specifically examines these open URL events to determine if a competitor’s ad network SDK was the source of the activity.”
The company has pointed out that this behavior appears to be intentional as the SDK looks for signs of a debugger and proxy tools before initiating these activities. This could be an attempt to determine if it’s being analyzed and possibly a method for bypassing Apple’s review process for applications published on the App Store, as it behaves differently if its actions are being watched.
“As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and anti-debugging tricks,” said Danny Grander, co-founder and CSO of Snyk. “Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year.”
UPDATE: Apple says it has spoken with the Snyk researchers to ensure that it’s fully informed on the research, but the tech giant has found no evidence that apps using the Mintegral SDK are harming users.
The company says app developers are responsible for the behavior of their products, including the behavior of third-party code, and they should exercise caution when using third-party code to insure it does not accidentally undermine security and privacy.
On the other hand, Apple points out that the research conducted by Snyk shows that it’s possible for third-party code to introduce unintended functionality. The company says the type of behavior described by the researchers is all too common, which is why it has been taking steps to provide users more control over their data and ensure that apps are transparent regarding the data they collect.
UPDATE 8/25: Mintegral has issued a statement firmly denying the allegations.
Mintegral practices have never conflicted with Apple’s terms of service or violated customer trust. Mintegral has ensured data would never be used for any fraudulent install claims and take these allegations very seriously.
To be fully transparent with the Mintegral SDK and practices, Mintegral encourages customers and partners to investigate this accusation through their independent data as well. It is confident that customers and partners will reach the same conclusions, that is, there is no fraud taking place.
The company’s full statement.