SourMint API Could be Used to Target iOS Users via Supply Chain Attacks

What happened?

• In mid-August 2020, researchers stumbled across the SourMint SDK that posed as a genuine SDK for iOS app developers.
• The malicious SDK remained hidden within the Apple App Store for more than a year. It was used in over 1,200 iOS apps, with around 70 apps listed among the top 500 free apps found on the App Store.

More details

• The SDK was uploaded on Mintegral’s GitHub Repository, Cocoapods Package Manager for iOS, and Gradle/Maven for Android, and was made available for download by app developers. Out of these, the iOS version of SDK was found malicious, while the Android version was non-malicious.
• It logs URL-based requests made through apps that use the Advertising SDK and can hijack the functional flow of a user ad-click on any iOS device.
• When the SDK is used for iOS application development, the deployed apps get infected with malicious code to commit ad attribution fraud.
• It is capable of recording user activity, stealing personally identifiable information, and other sensitive information.

Recent supply chain attacks

• In mid-August, a malicious campaign was found targeting Mac users, distributing the XCSSET suite of malware that was being propagated via Xcode developer projects.
• In May, the Berserk Bear hacking group was found targeting the IT systems of German companies via supply chain attacks.

Conclusion