Security researcher Axelle Apvrille has revealed in a recent research paper published on Virus Bulletin that AdThief malware, which was first discovered back in March and also referred to as “Spad”, is hijacking ad revenue out of over 75,000 jailbroken iOS devices. The malware was created by a Chinese hacker and comes disguised as a Cydia substrate extension, that installs itself when certain Cydia packages are downloaded.
The report notes that the AdThief malware has hijacked revenues from millions of ads by swapping the publisher ID with the attacker’s own ID as ad revenue is generated every time an infected user clicks on an ad while surfing the website. The researcher further claims that the malware’s targeted networks include Google-owned AdMob and Google Mobile Ads, besides 13 other ad networks via ad kits.
“iOS/AdThief is a technical and malicious piece of code which hijacks revenue from 15 different adkits. It is built on top of the Cydia Substrate platform, available for jailbroken devices, which provides it with an easy way to modify advertisement SDKs. With Substrate, the malware needs only to focus on the call and implementation of each hook.
At first, the identification of every adkit the malware targets was difficult because the code mentions only class names used by each adkit SDK. However, the fact that the malware author did not strip out debugging information helped us to identify all 15 adkits. In particular, this is how support for Komli Mobile and GuoHeAD was detected.”
There are an estimated 22 million hijacked ads, so the malware has probably generated significant revenue for the owners.