AdThief malware infected jailbroken Apple devices

Pierluigi Paganini August 14, 2014

Malware expert Axelle Apvrille explained how the iOS AdThief malware infected more than 75000 jailbroken iOS devices hijacking millions advertisements.

More than 75,000 jailbroken iPhones have been infected by a Chinese malware which were used by cyber criminals to hijack nearly 22 million advertisements and steal revenue from developers on the iOS jailbreak community.

The AdThief malware, detected by virus prober Axelle Apvrille, relies on the Cydia Substrate extension that is present on jailbroken devices, the bad actors used it to hijack advertising bucks.

Apvrille identified a Chinese vxer Rover 12421 as author of the malware, the source code includes strings referring the path ‘/Users/Rover12421’ which allowed the expert to localize the coder.

The Chinese hacker is specialized in mobile platforms and claims to have written parts of the AdThief some time ago, but that a third party then improved its source code.

“The malware author forgot to strip out some debugging information – which is helpful (for us) for identifying the adkits it targets via their source fi lenames. It is also helpful for identifying the malware author. Indeed, the strings inside the malware show the following path: /Users/Rover12421/Library/Developer/Xcode/” said the expert.

The coder Rover 12421 admitted to have written the AdThief malware but denied any responsibility for its propagation, the guy ran a blog detailing various Android hacks, a Github and inactive Twitter account.

“We can assume that ‘Rover12421’ is the malware author. He maintains a blog ( and works on Android hacks (some of which are hosted at He also has a Twitter account  (@rover12421), although that is fairly inactive. On forums, he is known as ‘zerofile’” said Apvrille.

Apvrille explained that advertiser identities were modified by the malware to redirect revenue to attackers.

“In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate,” “[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker.” Apvrille (@cryptax) said.

Chinese malware redirect AdThief

The AdThief malware is targeting 15 mobile advertising kits worldwide, including popular Google Mobile Ads and Weibo, the malware authors have forgotten to remove identifying information from the source code making possible the identification of ad services hit.

The diffusion of AdThief malware is the demonstration that root/jailbreak devices is a risky behavior that exposes mobile users to serious risks.

For further details give a look to the paper “Inside the iOS/AdThief malware published by Apvrille.

Pierluigi Paganini

(Security Affairs –  AdThief, malware)  

you might also like

leave a comment