Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM

Large Ad Network Collects Private Activity Data, Reroutes Clicks

A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm.

More than 1,200 applications — exceeding 300 million collective monthly downloads — have incorporated a software development kit (SDK) from Chinese advertising service Mintegral that has malicious code to spy on user activity and steal potential revenue from competitors, software security firm Snyk stated in an analysis published on Aug. 24.

The malicious capabilities were integrated into the SDK distributed by advertising firm Mintegral sometime in July 2019. Normally a way for developers to monetize their applications, such an SDK can include functionality the developers do not know about. In the case of Mintegral, for more than a year, the surreptitious capabilities have both reassigned advertising clicks, so that the company profits from clicks on advertising fees intended for other ad networks, and passed along the full URL of the page associated with the application, potentially exposing security tokens and other sensitive information.

The malicious activity required in-depth analysis and help from advertising industry experts to decode, and developers likely would never have spotted the behavior, says Danny Grander, co-founder and chief security officer at Snyk. 

"This is not visible to developer, because they are not stealing every click," he says. "It is probabilistic, and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps."

The company briefed Apple on the results of the investigation last Friday. Mintegral had not responded to a request for comment by the time of publication. Apple provided only general information about privacy practices as background but no specific statement on the case.

The analysis, if confirmed by Apple, could result in the advertising framework being banned from the platform, as Apple holds developers responsible for the behavior of their apps. In 2015, for example, Apple banned an SDK distributed by Chinese advertising firm Youmi and removed more than 250 applications from the app store after it was discovered that the SDK collected the user's e-mail address and information on the other applications on the user's phone.

While the advertising fraud could be the more profitable of the two surreptitious capabilities included in the SDK, the collection of sensitive information is more worrisome, Grander says. "This code, it can do anything — just the leaked credentials for one app can give you quite a lot, because you can abuse it later without any access to the device," he adds.

Advertising fraud is a popular way for cybercriminals and fraudsters to siphon money from the online advertising ecosystem. In 2016, for example, advertising-integrity firm White Ops discovered that Russian cybercriminals had stolen $3 million to $5 million every day from publishers who paid for fraudulent clicks in an vast operation known as Methbot. 

Using software development kits that can be incorporated by unwitting developers into their apps, some fraudsters have made inroads into the major app stores maintained by Apple and Google. In October, security firm RiskIQ blocked 20% more malicious applications across third-party app stores.

In the latest case, Mintegral appears to have modified its SDK in July 2019 to add additional capabilities, including reassigning ad clicks from other advertisers to its own advertising stock. 

"Developers can sign up as publishers and download the SDK from the Mintegral site," Alyssa Miller, application-security advocate at Snyk, stated in a blog post describing the issues. "Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including app store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information."

The Mintegral SDK included a number of anti-analysis measures, such as double obfuscation of the data collected from users, that made it more difficult to reverse engineer, Snyk stated in its analysis. For example, the code will try to determine if the phone is being emulated on an analysis platform. 

The SDK captures every detail of URL-based requests made within the context of any application that includes the software, Snyk stated. Information potentially at risk includes the URL with any identifiers or security tokens, headers, and the device identifier for advertisers, or IDFA. In a video included with the published analysis, Snyk shows the details of a Google document being captured by the Mintegral SDK.

Snyk confirmed that the company had given Apple details of its investigation on Friday. "Apple confirmed Friday that they are currently working to remedy this," a spokesperson said.

Apple will require developers to publish summaries of their privacy practices starting with OS 14, coming next month, and will include the information when it displays applications in the Apple App Store.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...