AdThief (or Spad) is the name of a recently discovered iOS malware that has managed to infect some 75,000 jailbroken iOS devices and steal revenue from around 22 million ads in a period that spanned a little over four months.
When compared to malware targeting the Android mobile OS, iOS malware is extremely rare, and it’s understandable why new instances always generate quite an interest in anti-virus circles.
Discovered by researcher Claud Xiao in March 2014, AdThief’s first appearance happened around December 10, 2013. As the researcher didn’t share many details about his discovery, Fortinet’s senior mobile AV analyst Axelle Apvrille has decided to dig in herself and see what it’s all about.
The first thing she made sure to note is that the malware works only on jailbroken iOS devices. It implements and takes advantage of the Cydia Substrate, a platform for modifying existing processes, to hook advertisement functions and make a simple change: the developer’s or an afilliate’s ID is changed to that of the attacker.
This means that every time an ad is viewed or clicked, the revenue from it that should to the former is redirected to the latter. Technically, the malware does not impact the user – the developers are the ones who will lose money.
The malware targets 15 mobile adkits. Most of them are Chinese, but some US (AdMob, AdWhirl, Google Mobile Ads) and Indian (InMobi, Komli Mobile) ones are also affected.
While analyzing the malware, Apvrille has also found debugging information that seem to point to a Chinese hacker specializing in mobile platforms as the author of the malware.
His online handles “Rover12421” and “zerofile” revealed a Twitter account, a blog, Android hacks, and forum posts that intimate that he only created part of the malware’s code, i.e. an ad ID replacement plug-in that has later been improved on, as well as propagated, by others.
Unfortunately, neither of the researchers explained how the malware spreads and infects devices. My money is on voluntary downloads of trojanized apps from third party (illegal) iOS app stores.