Aug 24, 2020 SOURCE: PR NewsWire

Snyk exposes a malicious iOS SDK that breached user privacy for millions and performed ad fraud in thousands of apps

BOSTON, Aug. 24, 2020 /PRNewswire/ -- Snyk, the leader in developer-first security, has discovered a malicious functionality within the iOS MintegralAdSDK (aka SourMint), distributed by a Chinese company named Mintegral. SourMint actively performed ad fraud on hundreds of iOS apps and brought with it major privacy concerns to hundreds of millions of consumers. On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK. SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral's servers. Snyk's Security Research team exposed SourMint and responsibly disclosed the information to Apple, alerting them to the active supply chain attack.

The SDK was distributed through Mintegral's GitHub Repository, Cocoapods Package Manager for iOS; and Gradle/Maven for Android (which does not appear to be malicious). Unbeknownst to developers integrating it into their applications, the iOS versions of the SDK were malicious. The SDK remained undetected for more than a year within the Apple App Store; SourMint first appeared in the 5.51 version of iOS in July 2019 continuing through version 6.3.7.0. Since then it has been identified in 1,200 iOS apps, including approximately 70 of the top 500 free apps found on the App Store, some of which are in the top 100.

The vulnerability was exposed by Snyk's Security team that manages and curates the Snyk Intel Vulnerability Database - the most advanced and accurate open source vulnerability database in the industry. The Snyk Intel Vulnerability DB maintains its high standards enabling customers to be optimally efficient at containing open source security issues while maintaining their focus on development.

The Snyk Security team found that SourMint has two major malicious functionalities in the SDK:

    --  Compromising app user privacy SourMint monitored and tracked when users
        clicked on links, spying on individual link activity by hooking onto the
        communication functions the iOS app user deployed. The SDK inserted
        itself via method swizzling into several functions responsible for
        opening resources in response to the user clicking on a link once it was
        installed. This allowed Mintegral to track all URLs accessed by the user
        and report the data back to Mintegral's servers. This has impacted
        millions of consumers to date.

    --  Advertising attribution fraud SourMint was hijacking competing ad
        networks and consumers by manipulating click notifications used in
        attribution for app installs that were not actually generated by the
        Mintegral advertising platform. This process tricked attribution
        platforms to associate an install created by another source to Mintegral
        - manipulating the 'last click attribution model' commonly applied by
        attribution providers. This likely impacted the business of other
        advertisers and developers by taking away value that should have been
        attributed to them.

"As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and anti-debugging tricks," said Danny Grander, Snyk co-founder and CSO. "Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year. We are proud of the Snyk Research team for exposing SourMint, and we hope this raises awareness within the developer community about the need to integrate continuous security early into the development process. As cyber risk continues to ramp up, it's critical for all software developers to mitigate the potential of malicious code making it into production and creating consumer privacy risk at this scale."

To learn more about the malicious SDK, read Snyk's blog post and research analysis on SourMint here .

About Snyk

Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk's solution is built on a comprehensive, proprietary vulnerability database, maintained by an expert security research team in Israel and London. With tight integration into existing developer workflows, source control (including GitHub, Bitbucket, GitLab), and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix. For more information or to get started with Snyk for free today, visit https://snyk.io.

View original content:http://www.prnewswire.com/news-releases/snyk-exposes-a-malicious-ios-sdk-that-breached-user-privacy-for-millions-and-performed-ad-fraud-in-thousands-of-apps-301116756.html

SOURCE Snyk

SNYK

Related News

Snyk Achieves CarbonNeutral® Company Certification

Snyk Closes $200M Series D as Valuation Surpasses $2.6B

Snyk Brings Developer-first Security to Infrastructure as Code

Snyk Achieves Red Hat OpenShift Operator Certification and Joins Red Hat Marketplace

Snyk Is Named To The 2020 Forbes Cloud 100

Snyk Strengthens Prioritization Capabilities to Increase Developer Efficiency and Reduce Risk

Snyk Announces Acquisition of DeepCode

Snyk and Rapid7 Extend Strategic Partnership to Offer Comprehensive Cloud Native Application Security Solution

View all News

Latest Procurements

Market Sounding - Defence Infrastructure Panel – Construction Major Works

To assist the Commonwealth of Australia (Commonwealth), represented by the Department of Defence, in considering the potential establishment of a standing offer for the undertaking of major construction works described...

ATM 24/2948 drone-mounted Magnetometer

Provision of a drone-mounted Magnetometer to the Australian Antarctic Division

ANSTO Engineering Design Services Panel

The ANSTO Engineering Panel will be established to support the design and development of new facilities, major projects, minor works, and ongoing building renovation and refurbishment needs across many different...

View all Procurementsp

Agenda

June

FranceParc des Expositions de Paris Nord Villepinte ZAC Paris Nord 2, 93420 Villepinte – France (Halls 5a – 5b – 6)

Eurosatory 2024, 17 - 21 June 2024, Parc des Expositions de Paris Nord Villepinte ZAC Paris Nord 2, 93420 Villepinte – France (Halls 5a – 5b – 6)

Eurosatory 2024 There can be no sustainable world without peace and security. Founded in 1967, the exhibition...

May

Paris Marriott Rive Gauche & Conference Center

Future Artillery, 21-23 May 2024, Paris Marriott Rive Gauche & Conference Center, France

DELIVERING FIRES IN THE MULTI-DOMAIN BATTLESPACE As artillery reasserts itself as the ‘King of Battlefield’ in the wake...

May

United Arab EmiratesADNEC (Abu Dhabi National Exhibition Centre), Abu Dhabi, Al Khaleej Al Arabi St - Al Rawdah - Al Ma'arid - Abu Dhabi, UAE

ISNR Abu Dhabi 2024, 21-23 May 2024, ADNEC (Abu Dhabi National Exhibition Centre), Abu Dhabi, Al Khaleej Al Arabi St - Al Rawdah - Al Ma'arid - Abu Dhabi, UAE

ISNR ACCELERATING TRANSFORMATION IN THE NATIONAL SECURITY ECOSYSTEM ISNR Abu Dhabi is the region’s most trusted...

View All Events

Companies

Instituto Tecnologico de Soledad Atlantico - ITSA

Frequentis AG

Industrias Faaca Colombia S.A.

View All Companies