Chinese ad network, Mintegral, has made headlines this week for allegedly spying on user activity and committing ad fraud. The Mintegral SDK for iOS is said to contain malicious code designed to monitor user activity in order to facilitate ad fraud, and apparently this has been going on for over a year.

Like other third-party advertising SDKs, the Mintegral SDK is a tool that helps developers monetize their apps via advertising. It is used in approximately 1,200 iOS apps that are collectively in use by 300 million new users per month, so that’s a huge number of users who might have had their personal information exposed.

The Mintegral SDK is able to intercept HTTP requests and clicks within the application and use this information to forge ad click notifications. This tricks the advertiser into thinking an ad click came through the Mintegral network even if it was served by a competing ad network, essentially stealing ad revenue from other providers.

In a response to Forbes, Apple cited this as an example of why developers need to be careful about which SDKs they use, because any code an SDK uses is in their app, and any potential security or privacy misdeeds can undermine trust in their apps.

Advertising SDKs bring both revenue and risk for developers

Exploring mobile advertising is like unraveling an onion with the ads themselves at the core. Ads appear within an app, but knowing how to get them there requires expertise. You need to know how to get the ads, distribute the ads, select the right ad for the right user, format the ads, and encourage the user to interact with the ad content.

To monetize their apps, developers often include third-party SDKs in their app code which enables the app to serve ads without requiring the developer to become an expert in advertising. Advertising SDKs are the equivalent of outsourced ads; developers simply define an area within the app for ads and the SDK does the rest. In many cases, the SDK provider will pay developers to use the SDK. The model works well when nothing goes wrong, but when there’s mischievous activity it’s difficult to place blame.

We recently discovered popular advertising SDK, StartApp, was serving bad content including phishing attacks, scams and pornography. We also discovered StartApp was obtaining 90% of its ads from a single ad network. The ad network in question consists of a large number of globally distributed servers and diverse domain names that allow the ad network to hide behind multiple subsidiaries, physical and Internet-based. 

It can sometimes be impossible to trace an ad back to its source. Ad content providers represent a combination of legitimate businesses, hackers, scammers, and other entities. These advertisers must also have a contract to pay the ad network for managing the distribution of their content. These funds ultimately trickle through the system, paying the ad network operators, the ad framework developers, and the app developers

Another flavor of App Store click fraud

Similar to the Mintegral SDK discovery, in October 2019, we found 17 apps on the Apple App Store that are infected with clicker trojan malware. The apps were communicating with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.

The clicker trojan module discovered in this group of applications was designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.

Recommendations

It’s very difficult as a user to vet the ads displayed in applications. Once the ad infrastructure is there, there is no way to control what is presented and how and when it is displayed. We recommend the following steps to reduce the negative impact of harmful advertising practices:

  • Avoid downloading free apps where possible, especially if they have negative reviews. Free apps are more likely to use aggressive advertising techniques for monetization.
  • Always check user reviews for signs that other users may be dealing with aggressive, dangerous or inappropriate ads.
  • Use a threat defense solution that can:
    • Detect malicious network traffic that may be coming from the app. Malicious ads are not the only risk that users face.
    • Block command and control communication and data exfiltration while allowing apps to continue running. This ensures that outside attackers cannot “remote control” the app to spy on users, and it also prevents stolen data from being retrieved from the device.
    • Block ads to minimize disruptions
    • Monitor for and prevent phishing scams that may be embedded in apps. We found this game that had a very sophisticated phishing scam actually embedded in the app; less sophisticated examples are often delivered as ads that look very convincing within a mobile app.
    • Identify and flag known-bad apps that contain bad ads
    • Restrict access to third-party app downloads
    • Analyze apps based on risk factors