According to researchers, the malicious SDK was found in iOS apps downloaded at least 300 million times in a month and in 70 of the top 100 and top 500 apps available on the App Store.
The IT security researchers at Snyk have identified a malicious functionality in the iOS MintegralAdSDK, also called SourMint. It is distributed by China-based firm Mintegral, and is reportedly performing ad frauds on ‘hundreds of iOS apps.’
Snyk researchers claim that apart from ad fraud, SourMint compromises the privacy of countless iOS users.
The security researchers revealed that what appears as a legit advertising SDK for iOS app developers, it actually contains malicious code that can perform ad attribution fraud.
It can discreetly access link clicking activity within a majority of iOS apps using that SDK, which is distributed via Mintegral’s GitHub repository, Gradle/Maven for Android, and Cocoapods Package Manager for iOS. However, the Android version wasn’t found to be malicious, and only the iOS versions were malicious.
Additionally, SourMint can spy on the user’s link click activities to track app requests and report it back to Mintegral servers. Its activities stayed undetected for over a year as it first appeared in the 5.51 version of iOS SDK, released in July 2019, and continued through the latest version 126.96.36.199.
Snyk researchers identified the malicious SDK in a total of 1,200 iOS apps that are downloaded at least 300 million times in a month and in 70 of the top 100 and top 500 apps available on the App Store.
According to researchers, SourMint can monitor and track users when they click on links and exploits the iOS app’s communication functions to spy on individual link activity. It inserts itself into various app functions, which primarily allow the opening of resources when the user clicks on a link, through method swizzling and tracks all URLs the user accesses. This means, so far, SourMint has transferred data of millions of iOS users to Mintegral servers.
The SDK also allows Mintegral to steal the revenues of those networks that other apps, which integrate the malicious SDK, are using for attribution advertising. It hijacks the consumers and competing ad networks by manipulating click notifications that are used in the attribution for app installs, which weren’t generated by Minetgral’s ad platform.
Hence, the attribution platforms are tricked into associating an installation developed by another source to Mintegral. That’s how it manipulates the last-click attribution model, which attribution providers usually apply and impacts the revenues of other developers and advertisers.
Snyk CSO and co-founder Danny Grander suspect that this is an intentional behavior because the SDK searches for signs of proxy tools or a debugger prior to starting its malicious activities.
Therefore, it might be a way of determining if it is being analyzed or it could be using it for evading Apple’s app review process. Nonetheless, it is the first malicious SDK that can infiltrate the iOS ecosystem as it had successfully avoided detection using a variety of anti-debugging methods.
“Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year,” Grander stated.
Snyk researchers have alerted Apple already, but the tech giant states that it didn’t find any evidence that the apps integrated with Mintegral SDK are causing users any harm. The company noted that Snyk’s research indicates that a third-party code is introduced to enable the apps to perform undesired functions.