iOS AdThief: Inside the malware that stole revenue from app developers
Most call it AdThief. Others refer to it as "Spad." For iOS app developers, though, it's probably best to describe it as a rare piece of malware targeting Apple devices that has taken a lot of the money they made.
Although it was first discovered back in March, security experts estimate that iOS AdThief has hit 75,000 infected devices and hijacked revenue from 22 million ads, across a slew of different ad networks. Understanding how it works--and the extent to which similar threats could emerge--may be important for developers who want to make the most of Apple's considerable installed base.
Two months ago, Virus Bulletin, a popular technical publication for IT security professionals, published a lengthy analysis of iOS AdThief by Axelle Apvrille. The researcher with Sunnyvale, Calif.-based security firm Fortinet said the malware was modifying the developer ID behind such ads, meaning the click-through rate on which they get money from ad networks via affiliate marketing programs would be redirected to the malware author.
According to Apvrille, iOS AdThief was created by a Chinese hacker known only as "Rover12421." When she managed to contact him, he said the code for the ID replacement plug-in was enhanced by someone else and denied spreading it, claiming the project had been closed.
Note: Jailbroken iPhones & iPads
It is important to add here that iOS AdThief was used on jailbroken iPhones and iPads, Apvrille told FierceDeveloper, because it might offer some level of reassurance to developers.
iOS/AdThief hijacks advertisement revenues and redirects them to accounts owned by the attackers.
"Hijacking ad revenues on a non-jailbroken device would require extensive modification in the application and the ad kit it embeds. I am not sure such an application would manage to get through Apple's inspection process," she said. "On a jailbroken device, it is much more easy, because you do not need to modify the targeted application but just a plugin for Cydia."
Ad networks such as InMobi, which was among the firms identified as being affected in Apvrille's report, did not respond to requests for interviews.
On the other hand, Claud Xiao, a senior engineer at Palo Alto Networks who first discovered iOS AdThief, suggested it may still be too early to gauge the malware's total impact.
"The AdThief's infection number should be much bigger than 75,000," he said, adding the number came from backend statistics of UMeng, a mobile analytics firm that has been compared with the likes of Flurry. "I believe there're more devices [that] were infected and weren't counted by UMeng."
Given that AdThief was aimed at mobile advertising, iOS developers who are focused on making more money might tend to think differently about in-app purchases, which may be less affected by such malware.
iOS AdThief , which targets jailbroken iPhones and iPads, may lead developers to stick with the official App Store.
"As we've seen on desktop computers, the problem with so-called 'bot' or 'zombie' malware--where the crooks can issue it instructions from afar--is that it can, in theory, do everything that a user could do," Peter Ducklin, a senior security advisor with Abingdon, U.K.-based Sophos, pointed out. "I don't think the AdThief techniques are directly applicable to in-app purchasing, so you couldn't easily adapt the AdThief code for that purpose, but the malware of the future isn't limited only to shenanigans with ads."
AdThief may also lead developers to reconsider their occasional grievances with Apple and stick to the official App Store. "It will only concern developers who intend to get substantial revenue from advertisement and release their app on unofficial iOS marketplaces," Apvrille said.
Tracking the culprit
Ducklin said there isn't a lot Apple can to do protect developers or app users from malware such as iOS AdThief, but it's possible other parts of the app ecosystem could lead the proper authorities to the culprit.
"Fraudulent ad payments have to go somewhere, and the crooks then have to 'cash out' their ill-gotten gains," he said. "What we don't yet know is whether the AdThief creator actually made any money out of the malware; if he did, you can reasonably expect the ad networks to get stuck into their version of the 'cat-and-mouse' game," by making it harder for the crooks to realize their "winnings."
In the meantime, Xiao said the only option for iOS developers is to disable user logins or money transfer functions if they detect one of their users operating a jailbroken device. Ducklin suggested developers consider AdThief more of a cautionary tale, rather than the beginning of a security epidemic on Apple devices.
"Malware writers are always adding more and more tricks to make their code harder to understand," and analysts are developing new techniques to neutralize the coders' obfuscation attempts. "Don't worry too much about that--we're used to it by now," he said. "If history is a guide, iOS malware will continue to appear sporadically, but I don't think there's any cause for alarm just yet."