Feeds

We told you jailbreaking your iThing was dangerous

Ad revenue looted from 75,000 infected iOS fondelslabs

Security for virtualized datacentres

Chinese malware has infected more than 75,000 iPhones and hijacked some 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, virus prober Axelle Apvrille says.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising bucks. Unmodified ithings are safe.

Apvrille located and confronted a Chinese vxer Rover 12421 who admitted writing the AdThief code but denied propagating it.

She explained in a paper Inside the iOS/AdThief malware [pdf] that advertiser identities were changed so that revenue was redirected to attackers.

"In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate," Apvrille (@cryptax) said.

"[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker."

Ad Thief flow

Ad Thief flow

It targeted 15 mobile advertising kits including Google Mobile Ads and Weibo, four of which were based in the US, two in India and the remainder in China. The targets were identified because the attacker forgot to remove identifying information from the code.

A further gaffe meant strings included the path '/Users/Rover12421' allowing Apvrille to identify the coder who ran a blog detailing various Android hacks, a Github and inactive Twitter account.

Ad Thief flow

A cydia ad.

Apvrille said while 75,000 infected devices was small compared to the scores of iOS devices in use, attackers likely made bank with an estimated 22 million ads hijacked.

"... the malware has probably had a fair amount of impact and generated significant revenue for the owners."

Malware targeting Android was far more common since the security controls both on the devices and Google's Play app store were more lax than Cupertino's iOS portfolio.

Users insisting on jailbreaking their devices to make use of pirate apps the Cydia store should change their device's root password, set by default to 'alpine'.®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.