More than 1,200 iPhone apps infected with malware — what you need to know

News
By published

Ad-serving framework conceals malicious behavior from Apple

iPhone 11
(Image credit: Apple)

More than 1,200 iPhone and iPad apps that are downloaded 300 million times every month contain malicious code that secretly steals user data and redirects ads, an application-security firm says. Tt appears that the malicious code was able to, and may have been designed to, evade Apple's iOS app-screening procedures.

In a new report released yesterday (Aug. 24), Boston-based Snyk says it discovered that the Mintegral software development kit (SDK) for iOS, an in-app advertising framework developed in China, logs the URL requests and request headers made by app users, either of which might include personal information.

"The scope of data being collected is greater than would be necessary for legitimate click attribution," Snyk's Alyssa Miller wrote in a Snyk company blog post yesterday. "The app also uses questionable coding methods to achieve this level of data access."

Unfortunately, there's little iPhone or iPad users can do about this malware, which Snyk calls "SourMint." It won't be easy to determine from the user end whether an iOS app is using this particular advertising SDK. 

Tom's Guide has reached out to Apple seeking comment, and we will update this story when we receive a reply. But ZDNet reported that Apple said it had no evidence that the Mintegral SDK was negatively affecting iOS users.

How the malware works

Mintegral is just one of many advertising SDKs in common use worldwide, and many mobile apps bundle in multiple SDKs to maximize ad revenue. Mintegral also makes an SDK for Android apps, but Snyk said it was not able to find any evidence of malicious activity by the SDK on Android.

The Mintegral SDK also commits ad fraud by hijacking other advertising frameworks' ad requests and claiming them as its own, stealing revenue that should have gone to other parties.

"The Mintegral SDK is able to intercept all of the ad clicks (and other URL clicks as well) within the application," Miller wrote.

"It uses this information to forge click notifications to the attribution provider," Miller added. "The forged notifications make it appear that the ad click came through their network even though it may have been a competing ad network that served the ad."

Ad fraud by itself doesn't harm users, although it's illegal. But the logging of the URLs could disclose unique identifiers embedded in URLs to Mintegral, Snyk said, and the request headers "could include authentication tokens and other sensitive information." 

It knows when it's being watched

Furthermore, the Mintegral SDK seems to be trying to hide this activity: "If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors," Snyk wrote.

The malicious activity will stop if the SDK detects that it is running on a rooted phone or if debugging software is being used — both tools commonly used by security researchers.

"This may also help the SDK pass through Apple’s app review process without being detected," Miller noted.

"The attempts by Mintegral to conceal the nature of the data being captured, both through anti-tampering controls and a custom proprietary encoding technique, are reminiscent of similar functionality reported by researchers that analyzed the Tik Tok app," Miller added. 

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.