Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM

Large Ad Network Collects Private Activity Data, Reroutes Clicks

A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm.

More than 1,200 applications — exceeding 300 million collective monthly downloads — have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.

The malicious capabilities were integrated into the SDK distributed by advertising firm Mintegral sometime in July 2019. Normally a way for developers to monetize their applications, such an SDK can include functionality the developers do not know about. In the case of Mintegral, for more than a year, the surreptitious capabilities have both reassigned advertising clicks, so that the company profits from clicks on advertising fees intended for other ad networks, and passed along the full URL of the page associated with the application, potentially exposing security tokens and other sensitive information.

The malicious activity required in-depth analysis and help from advertising industry experts to decode, and developers likely would never have spotted the behavior, says Danny Grander, co-founder and chief security officer at Snyk. 

"This is not visible to developer, because they are not stealing every click," he says. "It is probabilistic, and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps."

The company briefed Apple on the results of the investigation last Friday. Mintegral had not responded to a request for comment by the time of publication. Apple provided only general information about privacy practices as background but no specific statement on the case.

The analysis, if confirmed by Apple, could result in the advertising framework being banned from the platform, as Apple holds developers responsible for the behavior of their apps. In 2015, for example, Apple banned an SDK distributed by Chinese advertising firm Youmi and removed more than 250 applications from the app store after it was discovered that the SDK collected the user's e-mail address and information on the other applications on the user's phone.

While the advertising fraud could be the more profitable of the two surreptitious capabilities included in the SDK, the collection of sensitive information is more worrisome, Grander says. "This code, it can do anything — just the leaked credentials for one app can give you quite a lot, because you can abuse it later without any access to the device," he adds.

Advertising fraud is a popular way for cybercriminals and fraudsters to siphon money from the online advertising ecosystem. In 2016, for example, advertising-integrity firm White Ops discovered that Russian cybercriminals had stolen $3 million to $5 million every day from publishers who paid for fraudulent clicks in an vast operation known as Methbot. 

Using software development kits that can be incorporated by unwitting developers into their apps, some fraudsters have made inroads into the major app stores maintained by Apple and Google. In October, security firm RiskIQ blocked 20% more malicious applications across third-party app stores.

In the latest case, Mintegral appears to have modified its SDK in July 2019 to add additional capabilities, including reassigning ad clicks from other advertisers to its own advertising stock. 

"Developers can sign up as publishers and download the SDK from the Mintegral site," Alyssa Miller, application-security advocate at Snyk, stated in a blog post describing the issues. "Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information."

The Mintegral SDK included a number of anti-analysis measures, such as double obfuscation of the data collected from users, that made it more difficult to reverse engineer, Snyk stated in its analysis. For example, the code will try to determine if the phone is being emulated on an analysis platform. 

The SDK captures every detail of URL-based requests made within the context of any application that includes the software, Snyk stated. Information potentially at risk includes the URL with any identifiers or security tokens, headers, and the device identifier for advertisers, or IDFA. In a video included with the published analysis, Snyk shows the details of a Google document being captured by the Mintegral SDK.

Snyk confirmed that the company had given Apple details of its investigation on Friday. "Apple confirmed Friday that they are currently working to remedy this," a spokesperson said.

Apple will require developers to publish summaries of their privacy practices starting with OS 14, coming next month, and will include the information when it displays applications in the Apple App Store.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Readings:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.