SourMint – iOS SDK Caught Spying and Involved with Ad fraud, Data leak on Billions of iOS Users

Recently, iOS SDK found spying and involved with Ad fraud and data leak on billions of iOS users. The iOS SDK is quite famous, and it is used by nearly 1200 apps, along with billions of mobile users, not only this, but SDK also has over 300 million combined downloads per month. 

This data breach carried some malicious code, and its motive was to perpetrating mobile ad-click fraud and obtaining sensitive information of the users.

This data breach was detected by the cybersecurity firm Snyk, and later the researchers of the cybersecurity firm named this data breach as “SourMint.” 

According to the experts from Synk, when a user taps on an ad that is not assisted by the Mintegral network, the SDK inserts itself into the referral method. Therefore it starts deceiving iOS into as the user had clicked on different ads.

Ad fraud

The main motive of this ill-disposed data breach was that the threat actors make the users click on ads inside the app. These ads are mostly present in mobile applications; that’s why the advertisements are often impersonated by ad networks that the developer blends into their code.

The advertisers pay the ad networks to promote their ads, and these are credited to the appearance and performance of the ad. Through this network chain, all the app developers get some profits by the advertisement and the ad network gains from the advertisers.

These advertisements are quite profit-making, and that’s why the threat actors always prefer ad fraud. And these ad frauds are quite easy to perform as well.

Privacy exposures from this breach

In this data breach, the SDK has managed to obtain a hefty amount of data that includes:-

  • Requested URL, which includes many identifiers or other delicate information of the users.
  • The headers of the request that was created that include authentication tokens and other delicate data.
  • The application’s code that requests that is originated can help them to identify the user patterns.
  • The device’s Identifier for Advertisers (IDFA) is an unusual random number, which is used to recognize the device and the unique hardware identifier of the device, the IMEI.

Exploit Details

This data breach consisted of some very unusual technical exploit data, they are:-

  • The developers can easily download and install the SDK from the Mintegral’s site and can incorporate it into their app. 
  • Once the SDK gets installed, it can make several requests to the Mintegral server. 
  • These requests receive a JSON response that holds several parameters that are used by the ill-disposed code within the app.

Demonstration of the SourMint Malicious SDK

Data Involved

The data that are involved in this data breach are mentioned below:-

  • Mintegral SDK Version
  • OS Version
  • IP Address
  • charging state
  • network type
  • method name
  • IDFA
  • model
  • package name
  • URL
  • request headers
  • class Name
  • backtrace data

This data breach contains much delicate information, and the attackers have stolen the personal information of the users. However, the experts are investigating the whole matter thoroughly, and they would soon update the information regarding this breach.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read: Billions of Users Affected with Google Chrome Zero-Day That Allow Attackers To Fully Bypass CSP Rules

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.