In an explosive report published today, developer security firm Snyk claims it found malicious code inside a popular iOS SDK used by more than 1,200 iOS applications, all collectively downloaded more than 300 million times per month.
According to Snyk, this malicious code was hidden inside the iOS SDK of Mintegral, a Chinese-based advertising platform.
Mintegral provides this SDK to Android and iOS app developers for free. Developers use the SDK to embed ads inside their apps with just a few lines of code, in order to cut down development time and costs.
But Snyk claims the iOS version of this SDK contains malicious features that sit silently in an iOS app's background and wait for a tap on any ad that's not its own (mobile apps regularly use multiple advertising SDKs to diversify their ads and monetization strategies).
When an ad tap takes place, the Mintegratal SDK hijacks the click referral process, making it appear to the underlying iOS operating system that the user clicked on one of its ads, instead of a competitor's, effectively robbing revenue from other SDKs and advertising networks.
Logging user information as well
But while it appears that Mintegral is engaging in ad fraud, Snyk claims the SDK also contains other sneaky functions aimed at logging and collecting user-related information.
"Snyk further learned that the Mintegral SDK captures details of every URL-based request that is made from within the compromised application," the company said in a blog post today.
This information is logged and then sent to a remote server, and includes details such as:
the URL that was requested, which could potentially include identifiers or other sensitive information
headers of the request that was made which could include authentication tokens and other sensitive information
wherein the application's code the request originated which could help identify user patterns
the device's Identifier for Advertisers (IDFA), which is a unique random number used to identify the device and the unique hardware identifier of the device, the IMEI.
"The attempts by Mintegral to conceal the nature of the data being captured, both through anti-tampering controls and a custom proprietary encoding technique, are reminiscent of similar functionality reported by researchers that analyzed the Tik Tok app," said Alyssa Miller, Application Security Advocate at Snyk.
"In the case of SourMint [codename given by Snyk to the Mintegral iOS SDK], the scope of data being collected is greater than would be necessary for legitimate click attribution," Miller added.
Snyk did not release a list of iOS apps using the Mintegral SDK; however, the company said that the first version of the SDK where they found the malicious code was v5.5.1, released on July 17, 2019.
iOS users have no way of telling if they're using an app that secretly loads the Mintegral SDK, so there's little they can do to safeguard their private information and browsing habits. Nonetheless, app developers can use the information from the Snyk report to review their app codebases and remove the SDK, or downgrade to a version where the malicious code is not present.
In an email today, Apple said it has spoken with Snyk researchers about their report, and that they have not seen any evidence the Mintegral SDK is harming users, at least for the time being.
The OS maker said that app developers are responsible for the SDKs they put in their apps, and that many third-party libraries may include code that may be misinterpreted and abused due to its specific functionality, situations that Apple has seen in the past.
Apple cited these dual-functionality SDKs as the reason why the company chose in recent years to expand the privacy controls it now offers to users through iOS, specifically pointing at a big batch of new privacy-boosting features set to arrive later this year, with the release of iOS 14, which will help unmask privacy-intrusive apps and SDKs easier.
As for Mintegral, the company vehemently denied the Snyk report, calling its findings as "false allegations." In a document shared with ZDNet, the company promised to investigate the accusations of ad fraud, and also explained that its user data collection mechanism is nothing different that what other advertising companies are doing.
Article updated shortly after publication with comment from Apple, and on August 24 with Mintegral's reply.
Update on September 4 to add that Mintegra has open-sourced its SDK following the recent allegations made by Snyk.