Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as “spad,” the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.
A publisher ID is used to identify a publisher’s account on an ad platform, which helps track revenue generated by said publisher. By being able to swap the publisher’s publisher ID with his own, the malware creator was able to hijack revenue from about 22 million ads. In effect, when clicking on an ad, an infected user would generate ad revenue for the attacker instead of the developer of the application or website.
The malware was designed to target ad kits from 15 ad networks, including Google-owned AdMob and Google Mobile Ads, both representing a large share of mobile advertising at least here in the US. Other American companies targeted by AdThief are AdWhirl, MdotM, and MobClick. The remaining targeted ad networks were all from China or India.
Thanks to some debugging information that was left in the malware code, the security researcher was able to track down the creator and identify him as Rover12421, a Chinese hacker specializing in mobile platforms. Posing as “zerofile” on some forums, he admitted working on a publisher ID swapper for AdMob, but denies being involved in developing the code further, or even being part of the malware propagation.
At this time, it is unknown how the Cydia Substrate extension gets on jailbroken devices. We could speculate that it makes its way to devices after being installed from third party packages in Cydia, likely from a non-default repository. So far, there is no known way to find out if you’ve been affected. As always, it is very likely that jailbreak users who’ve been adding pirate repos are more likely to be affected than others.
In April of this year, another malware targeting jailbroken iOS devices surfaced. Dubbed unflod, the malware was found to capture the Apple ID and password of the infected device and send them to a Chinese IP address.
Because there is so little known so far about AdThief, we can only warn our readers to be careful about what repositories they add and what package they download.
More information about AdThief
- Paper by Axelle Apvrille
- Claud Xio’s blog
- Reddit (hat tip to /u/eljefeargentino)