Alyssa Miller from Synk shared their research findings on Mintegral SDK's malicious behaviors in their codes.
Mintegral SDK is a mediator between advertisers and app developers by providing an ad platform that developers can download and insert ads in their app to monetize when an app user clicks on an advertisement.
The research team looked at the fingerprints of Mintegral SDK on iOS and found that the codes are obfuscated as well as command and control functions which is unusual for ad SDK. Then, the team looked at the attrition space, and their volume was much higher than their competition attrition owners. When a user clicks an ad in the app, all the clicks of any URLs including the ads sent from other advertisement source sent to Mintegral server and modified as if it was from Mintegral. In addition, all the user traffics were sent to Mintegral server including secret google docs while the app is open.
The research team cannot confirm what Mintegral SDK do with the sensitive user information and Apple Store doesn't seem too concerned about it. On the surface, Mintegral is just stealing attrition from other advertising source and there is no user impact because of this.
How did the SDK pass the App Store's verification? The SDK used obfuscation and a method called swizzling which happens on Runtime. In order to detect those behaviors, it requires in depth analysis which is impossible for AppStore to go through daily.
Miller advises that app developers need to be aware of malicious ad SDK that their app can serve to expose user's sensitive data by clicking ads in their app. He believes it is crucial that we research into these open source to find malicious behaviours to prevent any cyber crimes.
https://thecyberwire.com/podcasts/research-saturday/164/notes
No comments:
Post a Comment