Malicious Chinese SDK in 1,200 iOS Apps with Billions Installed Causes ‘Major Privacy Concerns for Hundreds of Millions of Consumers’

Named a Chinese advertising network Mintegral is accused of spying on user activity and advertising business in more than 1200 apps with 300 million installations per month since July 2019. Mintegral is headquartered in Beijing, China, and is owned by another Chinese advertising network, Mobvista, which is headquartered in Guangzhou, China.

One of the apps, Helix Jump, has more than 500 million total installations. Other popular apps that are affected include Talking Tom, PicsArt, Subway Surfers and Gardenscapes.

Taken together, this is likely to have implications for billions of total app installations on iPhone and iPad.

There is no exact number on how many devices as iPhone users have been affected, but Snyk says this is a “major privacy concern for hundreds of millions of consumers.”

“We have identified a malicious component of SDK that integrates with various iOS applications and enters the App Store,” said Danny Grander, co-founder and chief security officer at Snyk, the security company that found the problems. “That SDK is being distributed like a regular advertising network … something that developers can use to run their apps through advertising.”

Sneak informed Apple about the malicious SDK (a software component that developers use to add functionality to their apps without even having to write code).

Along with the standard and fully kosher ad network functionality, the Mintegral SDK performs click attribution fraud, Grander told me in a interview for the TechFirst podcast.

To do this, it also spies on user activity in apps that have it integrated.

“Developers can register as publishers and download the SDK from the Mintegral site,” says Snyk. Once the SDK is loaded, the code buys into standard iOS features within the application that execute when the application opens a URL, including App Store links, from within the app. This gives the SDK access to a significant amount of data and even potential private user information. The SDK also specifically examines these open URL events to determine if a competitor’s advertising network was the source of the activity. “

Apparently, the primary purpose of the SDK was to make money. To do this, it spies on what users are doing, including when they click on ads to install other apps. Since brands are paying ad networks for successful mobile app installations, the Mintegral SDK would then quickly send a fake click and “claim credit” for the app installation, Grander says.

While Grander would not speculate on the total amount of stubborn advertising money involved, given the extent and length of time the SDK was in operation before they – more than a year – were discovered, it could be in the hundreds of millions of dollars .

That’s a big problem for the advertising ecosystem.

According to advertising experts I interviewed, such as Eric Seufert (former VP of user acquisition for Rovio, who creates the Angry Birds apps) and Allison Schiff (an editor at AdExchanger), this type of click-injection advertising business is quite unique. iOS.

It’s been known for a while on Android, but it’s not just on iOS.

The bigger question for many is probably potential violations of users’ privacy. The good news: because iOS apps are sandboxed by the mobile operating system, the SDK could not continue accessing all your information.

The bad news is that it can communicate from affected apps.

“That all the traffic that goes out of that app, they can actually instrumentalize an interception,” Grander told me. “Some apps would have secrets like chat, text messaging, right? Other apps might have just [have] the number of coins you have won in any game. ”

Snyk says that the Mintegral SDK could “intercept all HTTP requests” from apps in which it was integrated. It also listened to clicks as “URL opening”, as did all the events in the App Store, which of course is how it all made money for its makers.

Most of the big apps are games, and there is not likely to be much privacy in games. But one, Topface, is a dating and chat app. That could have very private data. Another, Lust Puzzle, will likely help you “find the girlfriend of your dreams.” Meet24 is another dating app that has been influenced.

According to Snyk, data collection and registration include:

  • OS Version
  • IP address
  • charge status
  • Mintegral SDK Version
  • network type
  • model
  • package name
  • IDFA
  • URL
  • apply headers
  • method name
  • class Name
  • breakthrough data

Interestingly, even bad guys have bugs in their code. One piece of SDK code tried to record the entire body of HTTP requests (which contain both a “header” and a “body”), but failed:

“The body’s functionality is leaking, but it looks like they have some kind of defect and that did not actually happen,” Grander says.

The fraudulent activity was well hidden, says Snyk.

The fraudulent activity was disabled when the SDK saw it running in a simulator, or when a debugger was added, or when the phone was rooted (an unauthorized operating system was running), or as a proxy (routing communications via a VPN or other system) enabled.

Also, the code running the exploits was disguised, which is probably one of the reasons why Apple did not catch the SDK during the App Store review process.

An Apple representative confirmed that the company had spoken to Snyk and provided some insight into the background issue. Apple says it takes user privacy extremely seriously, and there is currently no evidence that users have been harmed. In addition, however, Apple cited this as an example of why developers need to be careful about which SDKs they use, because every code that SDK uses is in their app, and any potential security or privacy breaches the trust in them apps can undermine.

Furthermore, Apple says this is an example of why the company is making privacy improvements in the soon-to-be-released iOS 14, leaving the Apple Advertising Identifier (IDFA) only an opt-in. iOS 14 will also show people more details about what data apps are collecting.

Most likely, Apple will strain its own app and check SDK in the app approval stage, although the Apple representative did not mention this.

As far as the advertising business is concerned, I spoke with a mobile supplier for measurements that checked for evidence of fraud given this new information from Snyk. (Full disclosure, I do do some consulting in the industry.) The supplier found that for between 20% and 30% of the conversations Mintegral was represented on, there was a prior click within a few minutes of a competing ad network.

This is evidence that the Mintegral SDK may have been looking for clicks from competing ad networks and in some cases sending a false click to finish.

It is also evidence of some level of discretion among the people who carry out the false clicks. They did not immediately attempt to earn a large amount by turning it on for 100% of the ad clicks they discovered, which would have resulted in much faster detection by ad fraud specialists. Instead, they kept it at a lower level, which in principle would act as a little extra profit on top of normal business operations.

One particularly challenging component: Mintegral was integrated with a variety of meditation platforms.

Meditation platforms are kind of like a Swiss Army clip of ads. If you want to monetize your app through advertising, you do not want to add a single ad network SDK to your app: you want more options so you can generate the most revenue possible. But you also do not want to integrate dozens of ad network SDKs into your app. That’s a lot of work, and it makes your app bigger and potentially slower. That you use a mediation network that integrates multiple ad network SDKs for you. Mintegral was expanding in several, including MoPub (owned by Twitter), reaching out to them.

As mentioned earlier in this story, Snyk informed Apple a week ago about the advertising company SDK and its implications on privacy. There is still no word on what Apple is specifically doing in terms of noting developers, banning access to the App Store for apps with the Mintegral SDK, or other consequences.

I have contacted Mintegral and Mobvista for comments, and will add their perspective or comments as and when they respond.