Feeds

We told you jailbreaking your iThing was dangerous

Ad revenue looted from 75,000 infected iOS fondelslabs

Providing a secure and efficient Helpdesk

Chinese malware has infected more than 75,000 iPhones and hijacked some 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, virus prober Axelle Apvrille says.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising bucks. Unmodified ithings are safe.

Apvrille located and confronted a Chinese vxer Rover 12421 who admitted writing the AdThief code but denied propagating it.

She explained in a paper Inside the iOS/AdThief malware [pdf] that advertiser identities were changed so that revenue was redirected to attackers.

"In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate," Apvrille (@cryptax) said.

"[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker."

Ad Thief flow

Ad Thief flow

It targeted 15 mobile advertising kits including Google Mobile Ads and Weibo, four of which were based in the US, two in India and the remainder in China. The targets were identified because the attacker forgot to remove identifying information from the code.

A further gaffe meant strings included the path '/Users/Rover12421' allowing Apvrille to identify the coder who ran a blog detailing various Android hacks, a Github and inactive Twitter account.

Ad Thief flow

A cydia ad.

Apvrille said while 75,000 infected devices was small compared to the scores of iOS devices in use, attackers likely made bank with an estimated 22 million ads hijacked.

"... the malware has probably had a fair amount of impact and generated significant revenue for the owners."

Malware targeting Android was far more common since the security controls both on the devices and Google's Play app store were more lax than Cupertino's iOS portfolio.

Users insisting on jailbreaking their devices to make use of pirate apps the Cydia store should change their device's root password, set by default to 'alpine'.®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.