Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM

Large Ad Network Collects Private Activity Data, Reroutes Clicks

A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm.

More than 1,200 applications — exceeding 300 million collective monthly downloads — have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.

The malicious capabilities were integrated into the SDK distributed by advertising firm Mintegral sometime in July 2019. Normally a way for developers to monetize their applications, such an SDK can include functionality the developers do not know about. In the case of Mintegral, for more than a year, the surreptitious capabilities have both reassigned advertising clicks, so that the company profits from clicks on advertising fees intended for other ad networks, and passed along the full URL of the page associated with the application, potentially exposing security tokens and other sensitive information.

The malicious activity required in-depth analysis and help from advertising industry experts to decode, and developers likely would never have spotted the behavior, says Danny Grander, co-founder and chief security officer at Snyk. 

"This is not visible to developer, because they are not stealing every click," he says. "It is probabilistic, and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps."

The company briefed Apple on the results of the investigation last Friday. Mintegral had not responded to a request for comment by the time of publication. Apple provided only general information about privacy practices as background but no specific statement on the case.

The analysis, if confirmed by Apple, could result in the advertising framework being banned from the platform, as Apple holds developers responsible for the behavior of their apps. In 2015, for example, Apple banned an SDK distributed by Chinese advertising firm Youmi and removed more than 250 applications from the app store after it was discovered that the SDK collected the user's e-mail address and information on the other applications on the user's phone.

While the advertising fraud could be the more profitable of the two surreptitious capabilities included in the SDK, the collection of sensitive information is more worrisome, Grander says. "This code, it can do anything — just the leaked credentials for one app can give you quite a lot, because you can abuse it later without any access to the device," he adds.

Advertising fraud is a popular way for cybercriminals and fraudsters to siphon money from the online advertising ecosystem. In 2016, for example, advertising-integrity firm White Ops discovered that Russian cybercriminals had stolen $3 million to $5 million every day from publishers who paid for fraudulent clicks in an vast operation known as Methbot. 

Using software development kits that can be incorporated by unwitting developers into their apps, some fraudsters have made inroads into the major app stores maintained by Apple and Google. In October, security firm RiskIQ blocked 20% more malicious applications across third-party app stores.

In the latest case, Mintegral appears to have modified its SDK in July 2019 to add additional capabilities, including reassigning ad clicks from other advertisers to its own advertising stock. 

"Developers can sign up as publishers and download the SDK from the Mintegral site," Alyssa Miller, application-security advocate at Snyk, stated in a blog post describing the issues. "Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information."

The Mintegral SDK included a number of anti-analysis measures, such as double obfuscation of the data collected from users, that made it more difficult to reverse engineer, Snyk stated in its analysis. For example, the code will try to determine if the phone is being emulated on an analysis platform. 

The SDK captures every detail of URL-based requests made within the context of any application that includes the software, Snyk stated. Information potentially at risk includes the URL with any identifiers or security tokens, headers, and the device identifier for advertisers, or IDFA. In a video included with the published analysis, Snyk shows the details of a Google document being captured by the Mintegral SDK.

Snyk confirmed that the company had given Apple details of its investigation on Friday. "Apple confirmed Friday that they are currently working to remedy this," a spokesperson said.

Apple will require developers to publish summaries of their privacy practices starting with OS 14, coming next month, and will include the information when it displays applications in the Apple App Store.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining con...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read...
PUBLISHED: 2021-04-15
Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invali...
PUBLISHED: 2021-04-15
Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting ...