A software development kit (SDK) created by China's Mintegral is exhibiting malicious behaviour, stealing revenue from rival ad platforms and exfiltrating user data to servers controlled by its developers.
That is according to the researchers from British cyber security firm Snyk, who state that this malicious SDK - dubbed "SourMint" - is present in over 1,200 iOS apps on Apple's App Store - including Helix Jump, PicsArt, Subway Surfers, Talking Tom and Gardenscapes.
These apps are thought to have combined monthly user base of roughly 300 million people, according to Synk.
Mintegral is a mobile ad platform provider based in Beijing and owned by Mobvista, another Chinese ad network with its head office in Guangzhou.
According to researchers, 'SourMint' allows Mintegral to steal revenue from rival ad networks, which the apps using Mintegral's SDK also work with.
Mintegral allegedly claims attribution for clicks that did not happen on the ads it presents to raise revenue.
In addition to ad fraud, the SDK is also said to contain code that can track user activity by harvesting URLs accessed through the apps using the SDK.
After it is loaded, the SDK injects code into standard iOS functions within the application. The code is executed when a URL is opened from within the app, giving the SDK access to a large amount of data on the device - including private user details.
The SDK also inspects open URL events to discover if a rival ad network SDK was the source of the activity.
The malicious code exists only in iOS versions of the SDK, according to the researchers.
'The primary goal of the malicious code that Snyk uncovered in this SDK appears to be hijacking user clicks on ads within the app,' the researchers said in their report.
'The Mintegral SDK is able to intercept all of the ad clicks (and other URL clicks as well) within the application. It uses this information to forge click notifications to the attribution provider.'
In a statement on its website, Mintegral denied the allegations made by Snyk, saying that their practices 'will never conflict with Apple's terms of service or violate customer trust.'
The company said that its SDK 'collects information through a publicly available OS-level Apple API" and uses the data to "select the most relevant advertisement when our ad network is called to fill an ad request.'
'This is a standard industry technique for the purpose of identifying the most appropriate ad for a user,' the firm added.
'Mintegral was founded on the idea of bridging East and West through transparent, reliable and open advertising technology. This ethos continues unwavering and we will continue to work hard to remain a transparent and trustworthy partner for app publishers and advertisers around the world, and to ensure we help drive the mobile industry towards a clear, open ecosystem.'
The Lucifer malware infects machines and forms a botnet to mine cryptocurrency
Hackers are sending spam mails that purport to come from big defence contractors to trap potential targets
The vulnerabilities could allow threat actors to gain elevated privileges on a victim's machine
The attack can evade network security solutions, including firewalls, legacy proxies and sandboxes
Researchers exploited a bug in Emotet malware to create a killswitch, containing its spread for six months
But Emotet's operators have now patched the flaw