Malicious code reportedly found in iOS apps installed by billions of users

(Image credit: Apple)

A popular Chinese mobile advertising SDK has been found to contain malicious code capable of spying on iOS users and siphoning off ad revenue, a new report claims.

According to security firm Snyk, Mintegral SDK is used across 1,200 different iOS apps, with over 300 million collective downloads per month - and therefore billions of total installs.

The free SDK is used by both Android and iOS developers to embed third-party ads into their applications. However, the Mintegral SDK for iOS is said to conceal malicious code that allows it to monitor user activity and steal ad revenue from its competitors.

Whenever a user clicks on an ad that is not served by the Mintegral network, the SDK inserts itself into the referral process, hoodwinking iOS into thinking the user had clicked on a different ad entirely.

Mintegral iOS SDK

On top of the accusations relating to advertisement attribution fraud, the Snyk report also claims the Mintegral iOS SDK is built to stealthily collect information about the user.

The SDK reportedly records details of all URL-based requests made via the compromised applications, before sending the information on to a remote logging server. The data types collected are listed as follows:

  • The URL that was requested, which could potentially include identifiers and other sensitive information
  • Headers of the request that was made, which could include authentication tokens
  • Where in the application's code the request originated, which could help identify user patterns
  • The device's Identifier for Advertisers (IDFA) and unique hardware identifier

“The attempts to conceal the nature of the data being captured, both through anti-tampering controls and a custom proprietary encoding technique, are reminiscent of similar functionality reported by researchers that analyzed the TikTok app,” explained Alyssa Miller, Application Security Advocate at Synk.

“In the case of [the Mintegral iOS SDK], the scope of data being collected is greater than would be necessary for legitimate click attribution.”

According to Snyk, the first malicious version of the SDK was launched on July 17 2019 and all subsequent versions were found to contain the same functionality.

The security firm has declined to publish a list of affected apps, but claims that “many popular applications were affected by the malicious activities of this SDK”.

However, Mintegral has since issued a statement in which the firm denies any wrongdoing and gestures towards its ongoing cooperation with Apple.

“Recently, a report from Snyk accused Mintegral of malpractices to commit fraud and invade privacy. Mintegral denies these allegations,” reads the statement.

“Mintegral has stated it takes matters of privacy and fraud very seriously and is conducting a thorough analysis of these allegations and where they are coming from.”

The organization also notes that Apple has spoken with the researchers about their report and, in an email dated August 24, explained it had not identified any evidence the Mintegral SDK is used to spy on users.

“Mintegral practices have never conflicted with Apple’s terms of service or violated customer trust. Mintegral has ensured data would never be used for any fraudulent install claims and take these allegations very seriously,” added the Chinese firm.

  • Here's our list of the best VPN services out there
TOPICS
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.