SourMint API Could be Used to Target iOS Users via Supply Chain Attacks

Supply chain attacks are gradually picking up momentum among several attackers as a means to reaching out to their ultimate objectives via attacking intermediary targets. Recently, a Chinese company involved in iOS software development was exposed targeting end-users via a supply chain attack.

What happened?

Mintegral, the Chinese global mobile ad platform, was found infected with a malicious software development kit (SDK) known as MintegralAdSDK or SourMint.
  • In mid-August 2020, researchers stumbled across the SourMint SDK that posed as a genuine SDK for iOS app developers.
  • The malicious SDK remained hidden within the Apple App Store for more than a year. It was used in over 1,200 iOS apps, with around 70 apps listed among the top 500 free apps found on the App Store.

More details

  • The SDK was uploaded on Mintegral’s GitHub Repository, Cocoapods Package Manager for iOS, and Gradle/Maven for Android, and was made available for download by app developers. Out of these, the iOS version of SDK was found malicious, while the Android version was non-malicious.
  • It logs URL-based requests made through apps that use the Advertising SDK and can hijack the functional flow of a user ad-click on any iOS device.
  • When the SDK is used for iOS application development, the deployed apps get infected with malicious code to commit ad attribution fraud.
  • It is capable of recording user activity, stealing personally identifiable information, and other sensitive information.

Recent supply chain attacks

Supply chain threats have been used as an attack vector in several incidents.
  • In mid-August, a malicious campaign was found targeting Mac users, distributing the XCSSET suite of malware that was being propagated via Xcode developer projects.
  • In May, the Berserk Bear hacking group was found targeting the IT systems of German companies via supply chain attacks.

Conclusion

SourMint has remained hidden in the Apple App Store since July 2019. Due to its sophisticated obfuscations and anti-debugging tricks, it was able to beat Apple’s security measures for such a long duration. Software developers need to be cognizant of such supply chain threats to avoid exposure of user data via their applications.