14 DAY TRIAL // In a paper on AdThief malware for iOS devices, a security researcher explains the mechanism behind the malicious code that managed to steal the revenue from 22 million advertisements, on a total of 75,000 devices.
The information is based on the original research of Claud Xiao who discovered AdThief (also known as Spad) in March 2014. However, the details were scarce at that time, which prompted the new paper from researcher Axelle Apvrille.
The nasty piece works on jailbroken iOS devices only, and it has been designed to divert to the attacker the revenues generated by users through clicking on advertisements on infected devices; this is achieved by implementing a Cydia Substrate extension.
Cydia Substrate is a framework that can modify existing processes on jailbroken iOS gadgets. Basically, it allows hooking into the legitimate functions of the processes, offering an attacker the possibility to add their own changes.
In this case, advertisement functions are hooked and the developer ID is modified with one of the cybercriminal, resulting in hijacking all the revenue created by ad clicking.
By analyzing the hooks, Claud Xiao was able to identify the adkits targeted by the malware; these are mostly Chinese, but some of them are located in the US and India: YouMi, Vpon, MobClick, Umeng, AdSage/MobiSage, MdotM, InMobi, Domob, AdWhirl, AdsMogo, Google Mobile Ads SDK, AderMob, Weibo, MIX SDK and Poly SDK.
In the analysis performed by Apvrille, the malware author was identified to use the online handle “Rover12421,” and to be involved in Android hacks, not iOS. The researcher found a forum post under the alias “zerofile,” where the AdThief creator says that he wrote at least some parts of the piece, which was his only iOS project.
However, he also informs that the malicious code was improved by others since his involvement in the project.
The original finder of the malware estimated in March that a total of 75,000 iOS devices were infected and the money from 22 million ads had been diverted to the attacker’s account.
There is no information on the total amount of money robbed from the original developer, but given the figures above, the impact must be a significant one.
Also, details about how the malware was distributed by the crooks remain unknown; however, it appears that AdThief started to infect jailbroken iOS devices around December 10, 2013, and around March 20, 2014, the security researcher saw about 22,000 daily activations.
Contrary to what most users believe, not all malware on iOS requires a jailbroken device; some families are devised to work on any of them.