iOS ad developer kit reportedly steals click revenue, harvests user data
Malicious code that steals ad click revenue within apps has been discovered in a popular iOS software development kit.
Credit: Mintegral
The code was found hidden in the SDK of Chinese advertising platform Mintegral, according to a report by cybersecurity firm Snyk which notes the SDK is used by more than 1,200 apps that are downloaded a combined 300 million times a month.
Like other advertising-related SDKs, the Mintegral kit allows developers to embed ads within their apps without much effort or additional coding. Mintegral provides the SDK to developers for free on both iOS and Android.
According to Snyk, the iOS version of the software kit contains malicious features that silently wait for a user to tap on any ad that doesn't belong to the Mintegral network. When a tap is registered, the SDK hijacks the referral process and makes it appear that the user was actually clicking on a Mintegral ad.
Essentially, the malicious portion of the SDK -- dubbed "SourMint" -- is stealing app revenue from other ad networks. Many apps use multiple ad SDKs to diversify their monetization strategies.
In an email to ZDNet, Apple said that it has spoken to the Snyk security researchers and does not see any evidence that the SDK is harming users. Apple cited the ability for third-party SDKs to incorporate malicious features as a reason why it is debuting a slew of privacy- and security-focused mechanisms in iOS 14, due later in 2020.
Along with the ad fraud, Snyk also claims that the Mintegral kit is harvesting data on users. That includes URLs visited, sensitive information contained within a URL visit request, and a device's Identifier for Advertisers code.
According to Snyk, the "scope of data being collected is greater than would be necessary for legitimate click attribution." All of the user data is also being sent to a remote server.
Mintegral also appears to have portions of code that attempt to hide the nature of the data being collected.
Snyk didn't release a list of apps that use the Mintegral SDK, and users have no way of knowing which development kits an app maker uses in their platforms. Developers will need to review their own code bases to identify and remove the malicious kit. The malicious portion of the kit was reportedly introduced in version 5.5.1, released in July 17, 2019. Snyk notes that developers can also downgrade to an earlier version of the SDK without the malicious code.
Credit: Mintegral
The code was found hidden in the SDK of Chinese advertising platform Mintegral, according to a report by cybersecurity firm Snyk which notes the SDK is used by more than 1,200 apps that are downloaded a combined 300 million times a month.
Like other advertising-related SDKs, the Mintegral kit allows developers to embed ads within their apps without much effort or additional coding. Mintegral provides the SDK to developers for free on both iOS and Android.
According to Snyk, the iOS version of the software kit contains malicious features that silently wait for a user to tap on any ad that doesn't belong to the Mintegral network. When a tap is registered, the SDK hijacks the referral process and makes it appear that the user was actually clicking on a Mintegral ad.
Essentially, the malicious portion of the SDK -- dubbed "SourMint" -- is stealing app revenue from other ad networks. Many apps use multiple ad SDKs to diversify their monetization strategies.
In an email to ZDNet, Apple said that it has spoken to the Snyk security researchers and does not see any evidence that the SDK is harming users. Apple cited the ability for third-party SDKs to incorporate malicious features as a reason why it is debuting a slew of privacy- and security-focused mechanisms in iOS 14, due later in 2020.
Along with the ad fraud, Snyk also claims that the Mintegral kit is harvesting data on users. That includes URLs visited, sensitive information contained within a URL visit request, and a device's Identifier for Advertisers code.
According to Snyk, the "scope of data being collected is greater than would be necessary for legitimate click attribution." All of the user data is also being sent to a remote server.
Mintegral also appears to have portions of code that attempt to hide the nature of the data being collected.
Snyk didn't release a list of apps that use the Mintegral SDK, and users have no way of knowing which development kits an app maker uses in their platforms. Developers will need to review their own code bases to identify and remove the malicious kit. The malicious portion of the kit was reportedly introduced in version 5.5.1, released in July 17, 2019. Snyk notes that developers can also downgrade to an earlier version of the SDK without the malicious code.
Comments
/s
Seriously, though, this is a cultural problem that sort of doubly hits in cases like these.
In China you've for a long time had a culture of "it's not illegal until it is"; which seriously has limited some western companies ability to work in China, because we usually try to get things legally cleared before we do anything. And it's been notoriously hard to get things cleared beforehand (so you're much better of simply getting local political support).
Secondly there has long been an encouragement of tech/knowhow acquisitions, which has been fuelled by a perception that unless you hurt the Chinese you have a situation similar to a victimless crime.
So basically you as a Chinese company can get away with anything, until it hurts the Chinese people. So if this doesn't cause a huuuuge shitstorm, then they are basically free to just say "ooops", and then continue as usual (perhaps after an update, and a promise to not do it again).