SoylentNews

Popular iOS SDK Caught Spying on Billions of Users and Committing Ad Fraud

posted by martyb on Tuesday August 25 2020, @03:12PM   
from the can't-be-too-careful dept.

upstart writes in with an IRC submission:

Popular iOS SDK Caught Spying on Billions of Users and Committing Ad Fraud:

A popular iOS software development kit (SDK) used by over 1,200 apps—with a total of more than a billion mobile users—is said to contain malicious code with the goal of perpetrating mobile ad-click fraud and capturing sensitive information.

According to a report published by cybersecurity firm Snyk, Mintegral — a mobile programmatic advertising platform owned by Chinese mobile ad tech company Mobvista — includes an SDK component that allows it to collect URLs, device identifiers, IP Address, operating system version, and other user sensitive data from compromised apps to a remote logging server.

The malicious iOS SDK has been named "SourMint" by Snyk researchers.

"The malicious code can spy on user activity by logging URL-based requests made through the app," Snyk's Alyssa Miller said in a Monday analysis. "This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information."

"Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application," Miller added.

Although the names of the compromised apps using the SDK have not been disclosed, the code was uncovered in the iOS version of the Mintegral SDK (6.3.5.0), with the first version of the malicious SDK dating back to July 17, 2019 (5.5.1). The Android version of the SDK, however, doesn't appear to be affected.

---

Original Submission

• Re:apps spy on you Re:apps spy on you (Score: 2) by SomeGuy on Tuesday August 25 2020, @07:16PM (1 child)

  by SomeGuy (5632) on Tuesday August 25 2020, @07:16PM (#1041759)

  Holy crap. Just saying, cell phone salesmen must REALLY love you.

  Get one device for just work. Keep it on only during work hours.

  Yea, ok, one for work if they really require one. Some do. Hopefully they require it for a real reason, not just because they think cell phones are somehow cool. In an office environment, I'd want a real desk telephone so other similar professionals can actually HEAR me.

  Get another device for just banking. Do not install shit or browse the internets with that one. Never. Just banking. Only your bank knows the number.

  Unless you do piles of banking every day, just drive to the bank and use pencil and paper. (Drive thrus are still open). For electronic, why not just use a regular computer with a VM?

  If you must do gaming, get yet another for gaming.

  Or perhaps a game console instead of "phone"?

  For going outdoors, get another, trackable of course but not easily associable with your typical network activity indoors.

  Personal mobile phone, if you are out and about enough to justify that, sure, that is standard. Don't bother with any "smart" phone applications.

  Dedicate yet another device for wardriving, if you able enough to do that.

  Uh. Just don't do that.

  The others? I think I had better not ask.

  Having zero smart phones is much more secure. And much simpler. And less expensive.

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:apps spy on you (Score: 2) by barbara hudson on Wednesday August 26 2020, @01:10AM

  by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday August 26 2020, @01:10AM (#1041899) Journal

  It's not like today's phones can't track nearby users over Bluetooth. See the Apple/Google covid tracker. The same sort of technology, without the anonymizing code, tied to a bunch of central servers, is the right's wet dream.

  --
  SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

  Parent