August 24, 2020
BOSTON, Aug. 24, 2020 /PRNewswire/ — Snyk, the leader in developer-first security, has discovered a malicious functionality within the iOS MintegralAdSDK (aka SourMint), distributed by a Chinese company named Mintegral. SourMint actively performed ad fraud on hundreds of iOS apps and brought with it major privacy concerns to hundreds of millions of consumers. On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK. SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral's servers. Snyk's Security Research team exposed SourMint and responsibly disclosed the information to Apple, alerting them to the active supply chain attack.
The SDK was distributed through Mintegral's GitHub Repository, Cocoapods Package Manager for iOS; and Gradle/Maven for Android (which does not appear to be malicious). Unbeknownst to developers integrating it into their applications, the iOS versions of the SDK were malicious. The SDK remained undetected for more than a year within the Apple App Store; SourMint first appeared in the 5.51 version of iOS in July 2019 continuing through version 188.8.131.52. Since then it has been identified in 1,200 iOS apps, including approximately 70 of the top 500 free apps found on the App Store, some of which are in the top 100.
The vulnerability was exposed by Snyk's Security team that manages and curates the Snyk Intel Vulnerability Database - the most advanced and accurate open source vulnerability database in the industry. The Snyk Intel Vulnerability DB maintains its high standards enabling customers to be optimally efficient at containing open source security issues while maintaining their focus on development.
The Snyk Security team found that SourMint has two major malicious functionalities in the SDK:
Compromising app user privacy SourMint monitored and tracked when users clicked on links, spying on individual link activity by hooking onto the communication functions the iOS app user deployed. The SDK inserted itself via method swizzling into several functions responsible for opening resources in response to the user clicking on a link once it was installed. This allowed Mintegral to track all URLs accessed by the user and report the data back to Mintegral's servers. This has impacted millions of consumers to date.
Advertising attribution fraud SourMint was hijacking competing ad networks and consumers by manipulating click notifications used in attribution for app installs that were not actually generated by the Mintegral advertising platform. This process tricked attribution platforms to associate an install created by another source to Mintegral - manipulating the 'last click attribution model' commonly applied by attribution providers. This likely impacted the business of other advertisers and developers by taking away value that should have been attributed to them.
"As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and anti-debugging tricks," said Danny Grander, Snyk co-founder and CSO. "Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year. We are proud of the Snyk Research team for exposing SourMint, and we hope this raises awareness within the developer community about the need to integrate continuous security early into the development process. As cyber risk continues to ramp up, it's critical for all software developers to mitigate the potential of malicious code making it into production and creating consumer privacy risk at this scale."
Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk's solution is built on a comprehensive, proprietary vulnerability database, maintained by an expert security research team in Israel and London. With tight integration into existing developer workflows, source control (including GitHub, Bitbucket, GitLab), and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix. For more information or to get started with Snyk for free today, visit https://snyk.io.