Experts at security firm Snyk discovered a malicious behavior in the advertising SDK SourMint developed by Mintegral, a China-based mobile advertising platform provider. The Mintegral SDK is advertised as a tool to help app developers and advertisers to build monetized ad-based marketing.
The SDK is used in more than 1,200 iOS apps currently available in the Apple App Store, these apps have a total of 300 million downloads per month.
Snyk researchers did not observe the same malicious behavior in the Android versions of the SourMint SDK.
The experts analyzed the code obtained from Mintegral’s official GitHub account and discovered that the malicious behavior was observed in versions of the iOS SDK dated back to 5.5.1 (released in July 2019).
According to Snyk, the SourMint SDK can allow Mintegral to steal revenue from other ad networks used by applications integrating the SDK. It also allegedly harvests system and device information, along with visited URLs, accessed through applications that leverage the SDK.
“The Snyk research team has uncovered malicious behavior in a popular Advertising SDK used by over 1,200 apps in the AppStore which represent over 300 Million downloads per month, based on industry expert estimates.” reads a post published by the security firm.
“The malicious code was uncovered in the iOS versions of the SDK from the Chinese mobile ad platform provider, Mintegral dating back to July 2019. The malicious code can spy on user activity by logging URL-based requests made through the app. This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information.”
The experts published a video to show how the SDK could collect data from the apps.
“Developers can sign up as publishers and download the SDK from the Mintegral site. Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app.” continues the post. “This gives the SDK access to a significant amount of data and even potentially private user information. The SDK also specifically examines these open URL events to determine if a competitor’s ad network SDK was the source of the activity.”
The researchers speculate that the behavior was intentionally implemented because the SDK looks for the use of a debugger and proxy tools before carrying out malicious activities. This means that developers use this trick to bypass Apple’s review process for applications published on the App Store.
“In order to discover this information, the Snyk Security Research Team added the SDK to a test application. To avoid the anti-tampering detection, application communications were intercepted at the wireless access point using a Man-in-the-Middle proxy (
mitm.it). Snyk used Hopper disassembler to investigate the code within the SDK and map out the functionality. We were able to identify this malicious functionality in versions of the SDK going back to 5.5.1 (current version as of this writing is 6.4.0).” concludes the report.
“Ultimately, through our own internal research as well as collaborating with key organizations and experts in the industry, we were able to confirm the full end-to-end hijacking of user ad click events.”
(SecurityAffairs – hacking, SourMint)