“In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate,” Apvrille said. “[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker.“
If you have jailbroken your iPhone, iPad, or iPod touch and have downloaded pirated tweaks from pirated repositories, then you may be infected by “AdThief” malware, a Chinese malware that is now installed on more than 75,000 iPhone devices.
According to a recent research paper published on Virus Bulletin by the Security Researcher Axelle Apvrille, the malware, also known as “spad,” was first discovered by security researcher Claud Xiao in March this year.
Till now, AdThief aka Spad malware has hijacked an estimated 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, Axelle Apvrille says.
The malware allegedly infects iOS jailbroken devices by disguising itself as Cydia Substrate extension, presents only on jailbroken Apple devices, when a malware infected Cydia package is downloaded and installed by the unsuspecting user.
Once installed, the malware modifies certain advertisements displayed on your iOS devices in an effort to redirect all the revenues to malware developer. In short, if you download or install a free ad-supported iOS app from the App Store, all of the cash generated by that app goes to the cyber criminal behind AdThief rather than the app’s developer.
Adthief has targeted advertisements from 15 popular mobile advertising networks, including Google’s AdMob and Mobile Ads, AdWhirl, MdotM, and MobClick, four of which were based in the US, two in India and the remainder in China.
The security researcher was able to identify the targets because the hacker mistakenly forgot to remove identifying information from the code. Further investigation allowed Apvrille to identify the coder who ran a blog providing details of various Android hacks, a Github and inactive Twitter account. Researcher located a Chinese vxer Rover 12421 who admitted writing the AdThief code but denied propagating it.
According to the researcher, the number of infected devices by the malware is small if compared to the figure of iOS devices in use, attackers likely generated significant revenue with an estimated 22 million advertisements hijacked.
The most important thing about this particular hack is that there is no way to find out if your device is infected by AdThief malware, because it runs in the background and is almost impossible to detect. Users of unmodified iOS devices need not to worry as they are safe from this malware infection.
Users of jailbroken Apple iOS devices are recommended to avoid downloads from untrusted repositories. Always be careful about adding new sources, and also be suspicious of those sources that promise pirated downloads of paid apps or tweaks.