Security researchers have uncovered malicious behavior in a software development kit (SDK) used by over 1,200 apps in Apple’s App Store, with a combined monthly user base of approximately 300 million. Researchers claim the SDK steals ad revenue and exfiltrates user data to servers controlled by its developers.
Dubbed ”SourMint” by Snyk researchers, the SDK is provided by Chinese mobile ad platform provider Mintegral. It allegedly contains malicious code that can spy on user activity by logging URL-based requests made through apps that have it baked in for ad monetization.
“This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information,” Snyk researchers explain in a blog post. “Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application.”
Mintegral allegedly uses two methods to steal revenue from competing ad networks. By claiming attribution for clicks that did not occur on a Mintegral presented ad, the SDK can steal advertiser revenue that should have gone to the other ad networks.
“This seems to be the main goal of this malicious functionality,” the researchers argue.
The second method is less direct. The research team argues that the developer or mediator SDK may notice that Mintegral is performing better than other ad networks, causing positive bias toward Mintegral. Furthermore, competing ad networks can lose revenue even when Mintegral isn’t used to serve ads, as the malicious code intercepts the clicks even if the service isn’t enabled to serve ads.
“In this case, ad revenue that should have come back to the developer or publisher via a competing ad network will never be paid to the developer,” according to the researchers.
The Mintegral SDK’s malice apparently goes even deeper. It allegedly also contains several anti-debug protections to hide its true purpose.
“In the code, there is a particular routine that attempts to determine if the phone was rooted and if any type of debugger or proxy tools are in use. If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors. This may also help the SDK pass through Apple’s app review process without being detected,” the team notes.
The full research is available here. Researchers also provide what they believe is compelling evidence that the SDK exfiltrates more data than it should, potentially including personally identifiable information. The research also includes technical exploit details and remediation.
Of note, Mintegral offers the SDK to Android developers as well. However, according to the Snyk team, the malicious code is only present in the iOS version of the SDK.