Security Firm Snyk Alleges China-Based Mintegral Logs Activity, Steals Ad Clicks
Security company Snyk alleges that an advertising software development kit embedded in 1,200 iOS apps is misattributing ad clicks to steal revenue and logging potentially sensitive user actions.
The advertising SDK is made by a China-based company called Mintegral, which says it has 200 employees in 10 offices worldwide. Snyk dubbed the SDK “SourMint.”
Snyk says the first version of the malicious SDK, 5.5.1, was published on July 17, 2019, and subsequent versions have the same malicious functions. Collectively, the 1,200 apps that use it are downloaded about 300 million times a month, based on industry estimates, Synk says. The Android version of Mintegral isn’t malicious, it adds.
“Many popular applications were affected by the malicious activities of this SDK,” writes Alyssa Miller, application security advocate with Snyk, in a blog post. “We hope this research shedding light on the situation will drive greater scrutiny and privacy controls for advertiser networks moving forward.”
But Apple tells Information Security Media Group that there’s no evidence to suggest apps with the SDK are harming users. Apple says the research does show, however, that app developers should be careful in how they integrate third-party code into apps because it could have impacts on privacy and security.
So far, it doesn’t appear Apple has taken any action to have developers remove the SDK from their apps.
Mintegral spies on user activity and logs any requests made for a URL through an app on which it is installed, Snyk alleges. That data, which could include personally identifiable information, is logged on a third-party server.
The SDK also falsely reports ad clicks, which could mean that ad revenue that should be attributed to an ad network is instead attributed to the SDK, Synk alleges. It’s common for mobile applications to use several advertising SDKs to maximize ad revenue for an app.
“The Mintegral SDK is able to intercept all of the ad clicks (and other URL clicks as well) within the application,” Miller writes. “It uses this information to forge click notifications to the attribution provider. The forged notifications make it appear that the ad click came through their network even though it may have been a competing ad network that served the ad.”
Here’s Snyk’s illustration of how Mintegral allegedly intercepts ad clicks.
Miller says it’s impossible to estimate how much ad money Mintegral may have falsely attributed to itself because that would require access to back-end data across multiple ad networks and mediators. Ad mediators optimize filling ad requests when multiple advertising networks are used and attribute which entity should get credit.
Efforts to reach Mintegral CEO Eric Fang and other executives for comment weren’t immediately successful.
On its website, Mintegral lists apps and developers that use its platform. Those includie Helix Jump made by Voodoo; Pocket Sniper! from JPGroup; and Boxing Star from Four Thirty Three Inc.
Miller tells ISMG that Snyk informed Apple of its findings before publishing its blog post but did not inform Mintegral beforehand. Since then, Snyk has had several conversations with Apple, Miller says. Snyk has also since reached out to some app developers.
Snyk started investigating Mintegral after “we were contacted by some people in the advertising industry who noticed odd behavior and asked us to help research it,” Miller says.
A demonstration video describes how Mintegral allegedly logs URLs that users might access from within an app that has its SDK embedded in it.
Snyk created a test app that scans QR codes and embedded Mintegral’s SDK. It then used the Charles web debugging proxy to watch the traffic. But Mintegral is coded to stop acting malicious if it senses there’s a proxy in use, a phone is rooted or a debugger is in use, Snyk contends. Snyk tweaked some settings to overcome that.
Snyk’s demonstration of how the Mintegral advertising SDK logs URLs requested by users (Source: Snyk)
The evasive behaviors may explain why Mintegral passed “through Apple’s app review process without being detected,” Snyk says.
The demo video purportedly shows how Mintegral logs data that could be sensitive. The QR scanner is used to scan a code that leads to a URL with a Google document labelled “Top Secret.” In the background, Mintegral reaches out to the URL “n[dot]systemlog[dot]me” and sends an encoded payload. The encoded payload turns out to be URL for the Google document.
“Mintegral now have access to our top secret document,” according to the narrator. “The malicious Mintegral SDK is monitoring every single HTTP request our mobile application makes and sending back potentially sensitive data about both the application and the user.”