Malicious code that steals ad click revenue within apps has been discovered in a popular iOS software development kit.
The code was found hidden in the SDK of Chinese advertising platform Mintegral, according to a report by cybersecurity firm Snyk which notes the SDK is used by more than 1,200 apps that are downloaded a combined 300 million times a month.
Like other advertising-related SDKs, the Mintegral kit allows developers to embed ads within their apps without much effort or additional coding. Mintegral provides the SDK to developers for free on both iOS and Android.
According to Snyk, the iOS version of the software kit contains malicious features that silently wait for a user to tap on any ad that doesn't belong to the Mintegral network. When a tap is registered, the SDK hijacks the referral process and makes it appear that the user was actually clicking on a Mintegral ad.
Essentially, the malicious portion of the SDK — dubbed "SourMint" — is stealing app revenue from other ad networks. Many apps use multiple ad SDKs to diversify their monetization strategies.
In an email to ZDNet, Apple said that it has spoken to the Snyk security researchers and does not see any evidence that the SDK is harming users. Apple cited the ability for third-party SDKs to incorporate malicious features as a reason why it is debuting a slew of privacy- and security-focused mechanisms in iOS 14, due later in 2020.
Along with the ad fraud, Snyk also claims that the Mintegral kit is harvesting data on users. That includes URLs visited, sensitive information contained within a URL visit request, and a device's Identifier for Advertisers code.
According to Snyk, the "scope of data being collected is greater than would be necessary for legitimate click attribution." All of the user data is also being sent to a remote server.
Mintegral also appears to have portions of code that attempt to hide the nature of the data being collected.
Snyk didn't release a list of apps that use the Mintegral SDK, and users have no way of knowing which development kits an app maker uses in their platforms. Developers will need to review their own code bases to identify and remove the malicious kit. The malicious portion of the kit was reportedly introduced in version 5.5.1, released in July 17, 2019. Snyk notes that developers can also downgrade to an earlier version of the SDK without the malicious code.