Malicious iOS SDK breaches user privacy for millions

Researchers discovered a malicious functionality within the iOS MintegralAdSDK (aka SourMint), distributed by Chinese company Mintegral.

Functional flow of a user ad-click being hijacked by the Mintegral SDK

Major privacy concerns

According to Snyk, SourMint actively performed ad fraud on hundreds of iOS apps and brought with it major privacy concerns to hundreds of millions of consumers.

On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK.

SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral’s servers. Snyk’s researchers exposed SourMint and responsibly disclosed the information to Apple, alerting them to the active supply chain attack.

The SDK was distributed through Mintegral’s GitHub Repository, Cocoapods Package Manager for iOS; and Gradle/Maven for Android (which does not appear to be malicious). Unbeknownst to developers integrating it into their applications, the iOS versions of the SDK were malicious.

The SDK remained undetected for more than a year within the Apple App Store; SourMint first appeared in the 5.51 version of iOS in July 2019 continuing through version 6.3.7.0. Since then it has been identified in 1,200 iOS apps, including approximately 70 of the top 500 free apps found on the App Store, some of which are in the top 100.

Malicious iOS SDK functionality

Researchers found that SourMint has two major malicious functionalities in the SDK:

• Compromising app user privacy SourMint monitored and tracked when users clicked on links, spying on individual link activity by hooking onto the communication functions the iOS app user deployed. The SDK inserted itself via method swizzling into several functions responsible for opening resources in response to the user clicking on a link once it was installed. This allowed Mintegral to track all URLs accessed by the user and report the data back to Mintegral’s servers. This has impacted millions of consumers to date.
• Advertising attribution fraud SourMint was hijacking competing ad networks and consumers by manipulating click notifications used in attribution for app installs that were not actually generated by the Mintegral advertising platform. This process tricked attribution platforms to associate an install created by another source to Mintegral – manipulating the ‘last click attribution model’ commonly applied by attribution providers. This likely impacted the business of other advertisers and developers by taking away value that should have been attributed to them.

“As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and anti-debugging tricks,” said Danny Grander, CSO, Snyk. “Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year. As cyber risk continues to ramp up, it’s critical for all software developers to mitigate the potential of malicious code making it into production and creating consumer privacy risk at this scale.”