iOS Malware SourMint Deployed Through Popular Advertising SDK Infects Over 1200 iOS Apps
Security researchers at Snyk discovered malware in a popular Advertising SDK used by over 1,200 apps in the AppStore which could represent over 300 Million downloads per month. The code was found in the iOS version of the SDK from mobile ad platform provider, Mintegral and is called SourMint. The code can spy on user activity by logging URL-based requests made through the app. The SDK also fraudulently reports user clicks on ads, stealing ad revenue from competing ad networks.
Everything that happens based on a URL request within an infected app gets recorded by the Mintegral SDK. This means the infected app captures the entire URL, which may have identifiers and sensitive information. The capture could also include authentication tokens, the unique random number used to identify a device on the advertising network. It can even access the iOS device's IMEI. The information that is recorded is then sent to a remote logging server. The data being collected could expose private information.
Advertisers pay ad networks to promote their ads, and these are credited to the appearance and performance of the ad. App developers make money from the ad and the ad network makes money from the advertisers. Ads can make quite a bit of money, and that's why the hackers prefer ad fraud. Mintegral is able to intercept every ad and URL click within the app. After intercepting the clicks, it fakes a click notification to the attribution provider, making it appear like it is coming from Mintegral's network. When a user clicks on an ad, the SDK takes over the process of displaying the ad and shows the Mintegral ad to the user.
Even though Apple's app review process is supposed to prevent this, Mintegral used various anti-debug protections within the SDK that was designed to prevent detection. If the SDK detects that the device is rooted or using a debugger or proxy tool, it changes the app's behavior to hide the malicious activity. Not only does the ads hide malware, the malware hides itself from Apple's app review process. The SDK remained undetected for more than a year within the Apple App Store. SourMint first appeared in the 5.51 version of iOS in July 2019 continued through version 22.214.171.124. Since then it has been used in 1,200 iOS apps, including 70 of the top 500 free apps found on the App Store.
Apple's review of apps is comprehensive, but it looks like the Mintegral advertising framework has tricked it. Noone has compiled a list of iOS apps exposed by SourMint. The Snyk team that discovered the malware in iOS, haven't found it in the Android version of Mintegral SDK. App publishers can use a tool at Snyk's technical analysis of SourMint to test their apps for infection. App developers are responsible for the third-party code and SDK libraries that they use in their own mobile applications. As threats continue to increase, it's critical for software developers to mitigate the potential for malicious code making it into production and creating consumer privacy risks.