Thousands of Apple devices being infected with AdThief malware

Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as “spat,” the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.

iOS/AdThief!tr
iOS/AdThief!tr hijacks advertisement revenues and redirects them to accounts owned by the attackers.

A publisher ID is used to identify a publisher’s account on an ad platform, which helps track revenue generated by said publisher. By being able to swap the publisher’s publisher ID with his own, the malware creator was able to hijack revenue from about 22 million ads. In effect, when clicking on an ad, an infected user would generate ad revenue for the attacker instead of the developer of the application or website.

  • Infected devices: ~75k
  • Total activate times: ~22m
  • Daily activate times (around 3/20/2014): ~22k

The malware was designed to target ad kits from 15 ad networks, including Google-owned AdMob and Google Mobile Ads, both representing a large share of mobile advertising at least here in the US. Other American companies targeted by AdThief are AdWhirl, MdotM, and MobClick. The remaining targeted ad networks were all from China or India.

TARGETED ADKITS

A list of mobile adkits targeted by the malware is provided in a report: YouMi, Vpon, MobClick, Umeng, AdSage/MobiSage, MdotM, InMobi, Domob, AdWhirl, AdsMogo, Google Mobile Ads SDK, AderMob, Weibo, MIX SDK and Poly SDK. The majority of these are Chinese, four are based in the US, and two in India.

In his report, Xiao remarks that Weibo is a popular social network in China, but is unable to attribute MIX SDK and Poly SDKmore precisely. In fact, Sina Weibo, introduced in 2013, is an advertisement SDK, so that solves one mystery.

MIX SDK can be attributed to GuoHeAD. It probably refers to the GuoHe MIX platform for cross-promotion of mobile games. This is also backed up by the name of a source file found in the malware: /Volumes/MacOsStore/Project/IOS/SpAd/SpAd/AD_GuoHe.xm.

Finally, Poly SDK is not a new adkit: it corresponds to AderMob. This is confirmed when downloading the AderMob iOS SDK.

Hijacked advertisements in iOS/AdThief

AderMob http://adermob.renren.com/ China
AdMob and Google Mobile Ads http://www.admob.com/ USA
AdsMogo http://www.adsmogo.com/en China
AdSage/MobiSage http://www.adsage.com/mobiSage China
AdWhirl http://www.adwhirl.com USA
Domob http://domob.cn China
GuoHeAD http://www.guohead.com China
InMobi http://www.inmobi.com India
Komli Mobile http://www.komlimobile.com/index India
MdotM http://www.mdotm.com USA
MobClick http://www.mobclix.com USA
UMeng http://www.umeng.com China
Vpon http://vpon.com China
Weibo http://us.weibo.com China
YouMi http://www.youmi.net China

Implementation details of adkit hooks found in iOS/AdThief.A!tr

Adkit source Filename Typical class names
AderMob AD Ader.xm AderSDK*
AdMob and Google Mobile Ads SDK AD AdMob.xm GAD*
AdsMogo AD AdsMongo.xm AdMoGo*
AdSage ? MobiSageAd*
AdWhirl AD Adwhirl.xm AdWhirl*
Domob AD DoMob.xm DM*
GuoHeAD AD GuoHe.xm MIXView*
InMobi AD InMobi.xm IMAd*
Komli Mobile AD KomliMobile.xm APIManager*
MdotM AD MDotM.xm MdotM*
MobClick ? MobClick*
UMeng AD UMeng.xm UMUFP*
Vpon AD Vpon.xm VponAdOn*
Weibo AD Weibo.xml DXAdHWB*_
YouMi AD Youmi.xm YouMi* – delegated to Google Ads

Conclusion

iOS/AdThief is a technical and malicious piece of code which hijacks revenue from 15 different adkits. It is built on top of the Cydia Substrate platform, available for jailbroken devices, which provides it with an easy way to modify advertisement SDKs. With Substrate, the malware needs only to focus on the call and implementation of each hook.

At first, the identification of every adkit the malware targets was difficult because the code mentions only class names used by each adkit SDK. However, the fact that the malware author did not strip out debugging information helped us to identify all 15 adkits. In particular, this is how support for Komli Mobile and GuoHeAD was detected.

Links

  • Get the bulletin here
  • Read Claud Xiao’s report here
Advertisements

Share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s