AdThief, an iOS Malware which has hijacked Ad Revenue on More Than 75,000 Devices and close to 22 million ads

How about an ad appearing on iPhone or iPad appearing from genuine source but if you click it, the ad revenue generated going into cyber criminals account.  Seem nice and easy way to earn money.  Researchers have discovered a iOS malware which is said to have infected tens of thousands of iPhones and iPads and made a hefty profit for its authors/owners.  The malware which is rightly called iOS/AdThief aka ‘Spad; was first reported by Claud Xiao in March 2014. 

Claud Xiao said that a Chinese researcher noticed a strange iOS dynamic library on his iOS device and posted his findings on China’s largest security forum PEDIY.  Another researcher from Fortinet, has published a paper providing a detailed description of the threat’s implementation and some information on its developer/author.
AdThief, an iOS Malware which has hijacked Ad Revenue on More Than 75,000 Devices and close to 22 million ads
As per Apvrille, the malware, AdThief works only on jailbroken devices because it uses Cydia Substrate extension.  The malware is written in such a way that once it infects a device, the malware modifies the developer ID in the advertisement SDKs used by installed applications so that whenever an ad is displayed or clicked, the revenue goes to the cyber criminals instead of the Apps publishers/developers.

“Cydia Substrate, which only works on jailbroken devices, is a platform for modifying existing processes. It provides an API to hook the legitimate functions, and you can add your own tweaks. This is exactly what the malware does: it hooks various advertisement functions and modifies the developer ID (a.k.a. promotion ID) to match that of the attacker,” Apvrille wrote in her paper.

As the debugging information was not removed by the malware authors, Fortinet was able to identify the adkits that AdThief targets. Fortinet and Claud have given the number of ad providers as below :

YouMi, Vpon, MobClick, AdSage/MobiSage, MdotM, InMobi, AdWhirl, Google Mobile Ads SDK, AderMob, Weibo, and Poly SDK. 
Figure 2. The spad.dylib changes app key in MobClick SDK
Changes made by the malware to MobClick SDK
Claud says that AdThief also targets the very popular Chinese Twitter clone, Sina Weibo though it is not an advertisement SDK. The purpose of targeting Sina Weibo is not known as of yet. 

Claud also notes that the AdThief malware has been spreading in the wild since Dec, 2013 and growing.  The malware targets mostly Chinese ad providers but some ad companies are based in the USA and India.  By infecting more than 75,000 devices running iOS, cybercriminals have managed to hijack an estimated 22 million ads as per Claud.  This amounts to a big windfall gain for the cyber criminals.

The fact that it targeted mostly Chinese adkits and the debugging information left by the author helped the researchers track down the original author of the malware.  The clues left behind in the code led researchers to a Chinese hacker who specializes in mobile platforms. The author who goes by the online handle of “Rover12421” and “zerofile,” has admitted writing the code for replacing developer IDs in advertisement SDKs, but he claims someone else picked up and improved the project. He denies being involved in the distribution of the malware. 

A full research paper on AdThief is available here on Virusbtn in PDF format.

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post