Feeds

We told you jailbreaking your iThing was dangerous

Ad revenue looted from 75,000 infected iOS fondelslabs

Protecting users from Firesheep and other Sidejacking attacks with SSL

Chinese malware has infected more than 75,000 iPhones and hijacked some 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, virus prober Axelle Apvrille says.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising bucks. Unmodified ithings are safe.

Apvrille located and confronted a Chinese vxer Rover 12421 who admitted writing the AdThief code but denied propagating it.

She explained in a paper Inside the iOS/AdThief malware [pdf] that advertiser identities were changed so that revenue was redirected to attackers.

"In other words, each time you view or click an ad on an infected device, the corresponding revenue goes to the attacker, and not to the developer or the legitimate affiliate," Apvrille (@cryptax) said.

"[AdThief] hooks various advertisement functions and modifies the developer ID (promotion ID) to match that of the attacker."

Ad Thief flow

Ad Thief flow

It targeted 15 mobile advertising kits including Google Mobile Ads and Weibo, four of which were based in the US, two in India and the remainder in China. The targets were identified because the attacker forgot to remove identifying information from the code.

A further gaffe meant strings included the path '/Users/Rover12421' allowing Apvrille to identify the coder who ran a blog detailing various Android hacks, a Github and inactive Twitter account.

Ad Thief flow

A cydia ad.

Apvrille said while 75,000 infected devices was small compared to the scores of iOS devices in use, attackers likely made bank with an estimated 22 million ads hijacked.

"... the malware has probably had a fair amount of impact and generated significant revenue for the owners."

Malware targeting Android was far more common since the security controls both on the devices and Google's Play app store were more lax than Cupertino's iOS portfolio.

Users insisting on jailbreaking their devices to make use of pirate apps the Cydia store should change their device's root password, set by default to 'alpine'.®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.