The discovery of malicious code and data leak in iOS and Android
Patrick Vandenberg, Director of Product Marketing at Snyk
Developers today can code more productively and with greater powers than ever before. They have collectively gotten smarter about leveraging existing code. From open source libraries to code repositories, from APIs to SDKs, there's a wealth of functionality available that can be rapidly implemented into code streams. However, these elements have to be used wisely and securely.
Recently, as part of Snyk's regular research work in uncovering new vulnerabilities, we discovered malicious functionality in the advertising SDK from a Chinese company, Mintegral. On the surface, it offers exactly the plug-and-play functionality developers need – inserting ads into your mobile app for speedy, trouble-free monetisation.
But that's not all it did, as we discovered when we delved into its Apple SDK – searching for potential vulnerabilities and flaws.
We found a chunk of code that had been obfuscated using a modified version of base-64 encoding. Having decoded the segment, we discovered several malicious aspects, including the ability to record HTTP URLs and headers from any site visited through the app – even if the SDK wasn't activated. Even worse, and perhaps its main purpose, it possessed the ability to fraudulently alter advertising attribution, potentially stealing click revenue from other ad networks or the app publisher.
We responsibly disclosed these 'added extras' directly to Apple, a number of affected major developers, and made our work public. We named the exploit 'SourMint'. Upon publication of our findings in multiple media outlets, Mintegral released a statement denying that the functionality existed and claiming they had never conducted any ad attribution fraud.
Use of the Mintegral SDK, and thus SourMint, extended to over 300 Million downloads per month for more than a year. The SDK was present in many household-name games and apps – the impact hitting potentially billions of users.
After news of the malicious functionality was made public, suspicion was raised in the community regarding the Android version of the SDK. We investigated and found once again that segments of code were obfuscated and within those segments we identified both the same functionality and worse. The Android version of the SDK was able to log user activity that could include login tokens – potentially compromising the security of billions more users. We also performed a deeper analysis of the iOS SDK and discovered the possibility for Remote Code Execution via the SDK, which dodged Apple's verification.
Again, we responsibly disclosed our findings to the relevant parties as well as the press. Following each of our disclosures, Mintegral have reacted to the adverse publicity. They've released multiple versions of the SDK with the malicious functionality apparently eliminated – of course, we continue to monitor the situation.
Uncovering this malicious SDK was done by Snyk's dedicated security research team that maintains the proprietary database of vulnerabilities. This database is powering Snyk's platform which includes solutions for open source security, container security, infrastructure as code and proprietary code security. Read more about Sour Mint or watch this video.