At Least 1,200 iOS Apps Constitute a Privacy Risk for Users

Last updated June 28, 2021

Written by:

Bill Toulas
Cybersecurity Journalist

Security Researchers Lockscreen Bypass in Apple iOS 12.1

Image Courtesy of Pexels

Summarize with:

Add as preferred source on Google

A malicious SDK from a company in Guangzhou, China, is engaging in ad fraud and malicious user data access.
The software was tuned to operate cleverly in order not to raise flags and be detected by researchers.
Apple knows about it now, but informing hundreds of app developers to change their SDKs will be tricky.

According to details that have surfaced, a large China-based ad network named ‘Mintegral’ is linked with ad fraud, privacy-breaching practices, and basically malware. As it also happens, Mintegral’s SDK is used by approximately 1,200 apps currently available on the Apple App Store, which account for a total of 300 million installations since the beginning of this month alone.

A notable example is “Helix Jump,” an action game that has 500 million downloads. Other popular apps using the particular SDK are “Talking Tom,” “PicsArt,” “Subway Surfers,” and “Gardenscapes.”

This discovery comes from researchers at Snyk, who identified a malicious component in the Mintegral SDK, which they found to be an ad clicker. This means that users having the infected apps installed on their devices are loading ads in the background, which are then getting clicked by a bot that simulates user actions, and this makes a profit for Mintegral from referrals.

In addition, the SDK injects code in standard iOS functions within the application, which grants it access to private user information that the user never consented to share. So, essentially, this SDK turns the games into stealthy spyware.

The things that the SDK can collect and log are the following:

OS Version
IP Address
charging state
Mintegral SDK Version
network type
model
package name
IDFA
URL
request headers
method name
class Name
backtrace data

For this reason, Snyk informed Apple about their findings last week, and they expect the company to contact all affected iOS app developers as the list is pretty extensive. To clarify, the app developers don’t know about the fraudulent nature of the Mintegral SDK, so they are not willingly supporting it, and neither are they responsible for the data it collects.

Apple is already working on the introduction of privacy-related safeguards in the upcoming iOS 14, so hopefully, SDKs like Mintegral’s won’t be left to fly under the radar for much longer now.

To avoid detection thus far, the malicious SDK checks if it runs inside an OS simulator and stops. If the device is rooted or proxying, it stays inactive. When the app is turned on, it keeps conversion rates between 20% and 30% instead of pushing the throttle to 100%. This helps keep the risk of detection at a minimum. Now that Snyk published the details, Mintegral will most likely change its name and return with a more careful approach.

[UPDATE]: Mintegral has contacted TechNadu to share the following statement, which denies the allegations made by Snyk:

Today, we learned that allegations have been made suspecting that our SDK and advertising practices commit fraud and invade privacy. We would like to assure our clients and partners that these allegations are not true. We are taking this matter very seriously and are conducting a thorough analysis of these allegations and where they are coming from. We have and will continue to uphold the highest standards of data privacy for users and our customers.

To clarify some details about how our SDK works, our SDK collects information through a publicly available OS-level Apple API. We use this data to select the most relevant advertisement when our ad network is called to fill an ad request. This is a standard industry technique for the purpose of identifying the most appropriate ad for a user. In an email dated August 24th, Apple said it has spoken with Snyk researchers about their report, and that they have not seen any evidence the Mintegral SDK is harming users. Our practices will never conflict with Apple’s terms of service or violate customer trust. We would never use this data for any fraudulent install claims and take these allegations very seriously.

To be fully transparent with our SDK and practices, we encourage our customers and partners to investigate this accusation through their independent data as well. We are confident that our customers and partners will reach the same conclusions, that is, there is no fraud taking place.

With all this said, in conjunction with Apple's upcoming iOS14 updates, we had already planned to deprecate this functionality in the SDK anyway. We have been and are in constant communication with all stakeholders, including Apple, and we felt removing this functionality was the best route for customers and users when iOS 14 is released. We encourage the rest of the industry to follow suit on this path.

Many partners have been with Mintegral since the beginning. We value our ongoing cooperation and their belief in Mintegral as a driver of growth for their mobile apps. We are continuing to assist our clients and are more than willing to provide complete transparency across the board.

Mintegral was founded on the idea of bridging East and West through transparent, reliable and open advertising technology. This ethos continues unwavering and we will continue to work hard to remain a transparent and trustworthy partner for app publishers and advertisers around the world, and to ensure we help drive the mobile industry towards a clear, open ecosystem.

Ex-Data Analyst Convicted in $2.5M Brightly Software Extortion Scheme

Perseus Malware Based on Phoenix and Cerberus Predecessors Initiates Android Device Takeovers, Targets Users’ Personal Notes

Handala Websites Seized by FBI After Stryker Cyberattack

Foster City Ransomware Attack Disrupts Non-Emergency Municipal Operations

4 Major Botnets Dismantled: Aisuru, KimWolf, JackSkid, Mossad

Healthcare industry, a target for cyberattackers

CISA Urges Organizations to Harden Endpoint Management Systems After Cyberattack Against US Medical Giant Stryker

Your Weekly Cybersecurity Briefing

Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.

Please enter a valid email address.