AdThief malware infected jailbroken Apple devices

Malware expert Axelle Apvrille explained how the iOS AdThief malware infected more than 75000 jailbroken iOS devices hijacking millions advertisements.

More than 75,000 jailbroken iPhones have been infected by a Chinese malware which were used by cyber criminals to hijack nearly 22 million advertisements and steal revenue from developers on the iOS jailbreak community.

The AdThief malware, detected by virus prober Axelle Apvrille, relies on the Cydia Substrate extension that is present on jailbroken devices, the bad actors used it to hijack advertising bucks.

Apvrille identified a Chinese vxer Rover 12421 as author of the malware, the source code includes strings referring the path ‘/Users/Rover12421’ which allowed the expert to localize the coder.

The Chinese hacker is specialized in mobile platforms and claims to have written parts of the AdThief some time ago, but that a third party then improved its source code.

“The malware author forgot to strip out some debugging information – which is helpful (for us) for identifying the adkits it targets via their source fi lenames. It is also helpful for identifying the malware author. Indeed, the strings inside the malware show the following path: /Users/Rover12421/Library/Developer/Xcode/” said the expert.

The coder Rover 12421 admitted to have written the AdThief malware but denied any responsibility for its propagation, the guy ran a blog detailing various Android hacks, a Github and inactive Twitter account.

“We can assume that ‘Rover12421’ is the malware author. He maintains a blog (http://www.rover12421.com/) and works on Android hacks (some of which are hosted at https://github.com/rover12421). He also has a Twitter account (@rover12421), although that is fairly inactive. On pediy.com forums, he is known as ‘zerofile’” said Apvrille.

Apvrille explained that advertiser identities were modified by the malware to redirect revenue to attackers.

“In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate,” “[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker.” Apvrille (@cryptax) said.

The AdThief malware is targeting 15 mobile advertising kits worldwide, including popular Google Mobile Ads and Weibo, the malware authors have forgotten to remove identifying information from the source code making possible the identification of ad services hit.

The diffusion of AdThief malware is the demonstration that root/jailbreak devices is a risky behavior that exposes mobile users to serious risks.

For further details give a look to the paper “Inside the iOS/AdThief malware“ published by Apvrille.

Pierluigi Paganini

(Security Affairs – AdThief, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.