Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

8/24/2020
11:10 AM
50%
50%

Large Ad Network Collects Private Activity Data, Reroutes Clicks

A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm.

More than 1,200 applications — exceeding 300 million collective monthly downloads — have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.

The malicious capabilities were integrated into the SDK distributed by advertising firm Mintegral sometime in July 2019. Normally a way for developers to monetize their applications, such an SDK can include functionality the developers do not know about. In the case of Mintegral, for more than a year, the surreptitious capabilities have both reassigned advertising clicks, so that the company profits from clicks on advertising fees intended for other ad networks, and passed along the full URL of the page associated with the application, potentially exposing security tokens and other sensitive information.

The malicious activity required in-depth analysis and help from advertising industry experts to decode, and developers likely would never have spotted the behavior, says Danny Grander, co-founder and chief security officer at Snyk. 

"This is not visible to developer, because they are not stealing every click," he says. "It is probabilistic, and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps."

The company briefed Apple on the results of the investigation last Friday. Mintegral had not responded to a request for comment by the time of publication. Apple provided only general information about privacy practices as background but no specific statement on the case.

The analysis, if confirmed by Apple, could result in the advertising framework being banned from the platform, as Apple holds developers responsible for the behavior of their apps. In 2015, for example, Apple banned an SDK distributed by Chinese advertising firm Youmi and removed more than 250 applications from the app store after it was discovered that the SDK collected the user's e-mail address and information on the other applications on the user's phone.

While the advertising fraud could be the more profitable of the two surreptitious capabilities included in the SDK, the collection of sensitive information is more worrisome, Grander says. "This code, it can do anything — just the leaked credentials for one app can give you quite a lot, because you can abuse it later without any access to the device," he adds.

Advertising fraud is a popular way for cybercriminals and fraudsters to siphon money from the online advertising ecosystem. In 2016, for example, advertising-integrity firm White Ops discovered that Russian cybercriminals had stolen $3 million to $5 million every day from publishers who paid for fraudulent clicks in an vast operation known as Methbot. 

Using software development kits that can be incorporated by unwitting developers into their apps, some fraudsters have made inroads into the major app stores maintained by Apple and Google. In October, security firm RiskIQ blocked 20% more malicious applications across third-party app stores.

In the latest case, Mintegral appears to have modified its SDK in July 2019 to add additional capabilities, including reassigning ad clicks from other advertisers to its own advertising stock. 

"Developers can sign up as publishers and download the SDK from the Mintegral site," Alyssa Miller, application-security advocate at Snyk, stated in a blog post describing the issues. "Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information."

The Mintegral SDK included a number of anti-analysis measures, such as double obfuscation of the data collected from users, that made it more difficult to reverse engineer, Snyk stated in its analysis. For example, the code will try to determine if the phone is being emulated on an analysis platform. 

The SDK captures every detail of URL-based requests made within the context of any application that includes the software, Snyk stated. Information potentially at risk includes the URL with any identifiers or security tokens, headers, and the device identifier for advertisers, or IDFA. In a video included with the published analysis, Snyk shows the details of a Google document being captured by the Mintegral SDK.

Snyk confirmed that the company had given Apple details of its investigation on Friday. "Apple confirmed Friday that they are currently working to remedy this," a spokesperson said.

Apple will require developers to publish summaries of their privacy practices starting with OS 14, coming next month, and will include the information when it displays applications in the Apple App Store.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25465
PUBLISHED: 2020-12-04
Null Pointer Dereference. in xObjectBindingFromExpression at moddable/xs/sources/xsSyntaxical.c:3419 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25461
PUBLISHED: 2020-12-04
Invalid Memory Access in the fxProxyGetter function in moddable/xs/sources/xsProxy.c in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25462
PUBLISHED: 2020-12-04
Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
CVE-2020-25463
PUBLISHED: 2020-12-04
Invalid Memory Access in fxUTF8Decode at moddable/xs/sources/xsCommon.c:916 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25464
PUBLISHED: 2020-12-04
Heap buffer overflow at moddable/xs/sources/xsDebug.c in Moddable SDK before before 20200903. The top stack frame is only partially initialized because the stack overflowed while creating the frame. This leads to a crash in the code sending the stack frame to the debugger.