More than 1,200 applications — exceeding 300 million collective monthly downloads — have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.
The malicious capabilities were integrated into the SDK distributed by advertising firm Mintegral sometime in July 2019. Normally a way for developers to monetize their applications, such an SDK can include functionality the developers do not know about. In the case of Mintegral, for more than a year, the surreptitious capabilities have both reassigned advertising clicks, so that the company profits from clicks on advertising fees intended for other ad networks, and passed along the full URL of the page associated with the application, potentially exposing security tokens and other sensitive information.
The malicious activity required in-depth analysis and help from advertising industry experts to decode, and developers likely would never have spotted the behavior, says Danny Grander, co-founder and chief security officer at Snyk.
"This is not visible to developer, because they are not stealing every click," he says. "It is probabilistic, and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps."
The company briefed Apple on the results of the investigation last Friday. Mintegral had not responded to a request for comment by the time of publication. Apple provided only general information about privacy practices as background but no specific statement on the case.
The analysis, if confirmed by Apple, could result in the advertising framework being banned from the platform, as Apple holds developers responsible for the behavior of their apps. In 2015, for example, Apple banned an SDK distributed by Chinese advertising firm Youmi and removed more than 250 applications from the app store after it was discovered that the SDK collected the user's e-mail address and information on the other applications on the user's phone.
While the advertising fraud could be the more profitable of the two surreptitious capabilities included in the SDK, the collection of sensitive information is more worrisome, Grander says. "This code, it can do anything — just the leaked credentials for one app can give you quite a lot, because you can abuse it later without any access to the device," he adds.
Advertising fraud is a popular way for cybercriminals and fraudsters to siphon money from the online advertising ecosystem. In 2016, for example, advertising-integrity firm White Ops discovered that Russian cybercriminals had stolen $3 million to $5 million every day from publishers who paid for fraudulent clicks in an vast operation known as Methbot.
Using software development kits that can be incorporated by unwitting developers into their apps, some fraudsters have made inroads into the major app stores maintained by Apple and Google. In October, security firm RiskIQ blocked 20% more malicious applications across third-party app stores.
In the latest case, Mintegral appears to have modified its SDK in July 2019 to add additional capabilities, including reassigning ad clicks from other advertisers to its own advertising stock.
"Developers can sign up as publishers and download the SDK from the Mintegral site," Alyssa Miller, application-security advocate at Snyk, stated in a blog post describing the issues. "Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information."
The Mintegral SDK included a number of anti-analysis measures, such as double obfuscation of the data collected from users, that made it more difficult to reverse engineer, Snyk stated in its analysis. For example, the code will try to determine if the phone is being emulated on an analysis platform.
The SDK captures every detail of URL-based requests made within the context of any application that includes the software, Snyk stated. Information potentially at risk includes the URL with any identifiers or security tokens, headers, and the device identifier for advertisers, or IDFA. In a video included with the published analysis, Snyk shows the details of a Google document being captured by the Mintegral SDK.
Snyk confirmed that the company had given Apple details of its investigation on Friday. "Apple confirmed Friday that they are currently working to remedy this," a spokesperson said.
Apple will require developers to publish summaries of their privacy practices starting with OS 14, coming next month, and will include the information when it displays applications in the Apple App Store.