AdThief iOS Malware Affecting 75K Jailbroken Devices

A relatively new form of malware on iOS is estimated to have stolen revenue from 22 million ads and infected upwards to 75,000 devices so far.

A relatively new form of malware on iOS is estimated to have stolen revenue from 22 million ads and infected upwards to 75,000 devices so far.

The malware, iOS/AdThief, was first identified back in March but wasn’t fully articulated until Axelle Aprville, a researcher with Fortinet, looked into the malware further for a Virus Bulletin study (.PDF) published last week.

Also known as Spad, technically the malware tweaks a developer ID that’s intended to tell ad developers when their ads are either viewed or clicked and in turn, generate revenue. In the malware’s case, infected devices funnel those small payments away from the developers to the hacker.

The malware, only present in jailbroken devices for now, uses Cydia Substrate, a platform for developing third-party add-ons for iOS, to carry out the hack.

“[Cydia] provides an API to hook the legitimate functions, and you can add your own tweaks,” Aprville writes, “This is exactly what the malware does, it hooks various advertisement functions and modifies the developer ID.”

In total the malware jacks revenue from 15 different ad kits. While most are Chinese, four (including Google’s AdMob) are based in the U.S. and two reside in India.

  • AderMob (CHINA)
  • AdMob and Google Mobile Ads (USA)
  • AdsMogo (CHINA)
  • AdSage/MobiSage (CHINA)
  • AdWhirl (USA)
  • Domob (CHINA)
  • GuoHeAD (CHINA)
  • InMobi (INDIA)
  • Komli Mobile (INDIA)
  • MdotM (USA)
  • MobClick (USA)
  • UMeng (CHINA)
  • Vpon (CHINA)
  • Weibo (CHINA)
  • YouMi (CHINA)

According to Aprville, an oversight by the hacker – failing to omit the malware’s debugging info – allowed the researchers to see exactly which adkits were being compromised by the malware.

Further research into the malware’s creator (Rover12421) claims he wrote part of the code “some time ago,” that it was his only iOS project, and denies propagating the malware.

As the writeup points out, Chinese security researcher Claud Xiao was the first to discover AdThief back in March when he published a blog post, “New iOS malware use Cydia Substrate to steal advertisement promotion fee.” Last week’s Virus Bulletin report builds off that post, streamlining Xiao’s information and adding in several clarifications.

The news follows up revelations from June on the legal spyware tool, Remote Control System (RCS) developed by HackingTeam, and how a handful of mobile malware modules, including a Trojan, can be used to spy on iOS devices.

Like AdThief, the HackingTeam iOS module only works when users open their devices up to third-party applications by jailbreaking them.

Suggested articles