More than 1,200 iPhone apps infected with malware — what you need to know

iPhone 11
(Image credit: Apple)

More than 1,200 iPhone and iPad apps that are downloaded 300 million times every month contain malicious code that secretly steals user data and redirects ads, an application-security firm says. Tt appears that the malicious code was able to, and may have been designed to, evade Apple's iOS app-screening procedures.

In a new report released yesterday (Aug. 24), Boston-based Snyk says it discovered that the Mintegral software development kit (SDK) for iOS, an in-app advertising framework developed in China, logs the URL requests and request headers made by app users, either of which might include personal information.

"The scope of data being collected is greater than would be necessary for legitimate click attribution," Snyk's Alyssa Miller wrote in a Snyk company blog post yesterday. "The app also uses questionable coding methods to achieve this level of data access."

Unfortunately, there's little iPhone or iPad users can do about this malware, which Snyk calls "SourMint." It won't be easy to determine from the user end whether an iOS app is using this particular advertising SDK. 

Tom's Guide has reached out to Apple seeking comment, and we will update this story when we receive a reply. But ZDNet reported that Apple said it had no evidence that the Mintegral SDK was negatively affecting iOS users.

How the malware works

Mintegral is just one of many advertising SDKs in common use worldwide, and many mobile apps bundle in multiple SDKs to maximize ad revenue. Mintegral also makes an SDK for Android apps, but Snyk said it was not able to find any evidence of malicious activity by the SDK on Android.

The Mintegral SDK also commits ad fraud by hijacking other advertising frameworks' ad requests and claiming them as its own, stealing revenue that should have gone to other parties.

"The Mintegral SDK is able to intercept all of the ad clicks (and other URL clicks as well) within the application," Miller wrote.

"It uses this information to forge click notifications to the attribution provider," Miller added. "The forged notifications make it appear that the ad click came through their network even though it may have been a competing ad network that served the ad."

Ad fraud by itself doesn't harm users, although it's illegal. But the logging of the URLs could disclose unique identifiers embedded in URLs to Mintegral, Snyk said, and the request headers "could include authentication tokens and other sensitive information." 

It knows when it's being watched

Furthermore, the Mintegral SDK seems to be trying to hide this activity: "If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors," Snyk wrote.

The malicious activity will stop if the SDK detects that it is running on a rooted phone or if debugging software is being used — both tools commonly used by security researchers.

"This may also help the SDK pass through Apple’s app review process without being detected," Miller noted.

"The attempts by Mintegral to conceal the nature of the data being captured, both through anti-tampering controls and a custom proprietary encoding technique, are reminiscent of similar functionality reported by researchers that analyzed the Tik Tok app," Miller added. 

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Mobile Apps
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps glitch is purging Timeline data — what we know
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
A photo of the Apple Maps app tile displayed on an iPhone screen
Apple Maps may soon get ads, letting businesses pay to boost visibility
How to delete TikTok
TikTok confirms return to Apple and Google app stores — here’s what we know
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps is adding this new feature for millions of drivers to make your ride safer
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 16 (#644)
Nintendo Switch 2
New Nintendo Switch 2 FCC filing suggests this beloved Nintendo controller could make a comeback
(From L to R) Rohan (Nik Dodani), Josh (Brandon Flynn), Dorothy (Edie Falco), John (Dean Norris), and Liddie (Lisa Kuthrow) in The Parenting
Max top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #378 (Sunday, March 16 2025)
Samsung Galaxy Tab S10 FE renders
Samsung Galaxy Tab S10 FE price leak is bad news for budget-conscious buyers
Google Assistant
Gemini to kill off Google Assistant on most Android phones — here's what you need to know