Snyk, which specializes in “developer-first security,” says it’s discovered a malicious functionality within the iOS MintegralAdSDK (aka SourMint), distributed by a Chinese company named Mintegral.  

The security group says SourMint actively performed ad fraud on hundreds of iOS apps and brought with it “major privacy concerns to hundreds of millions of consumers.” On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK. 

Snyk says SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral’s servers. Snyk’s Security Research team say it exposed SourMint and disclosed the information to Apple, alerting them to the active supply chain attack.

To learn more about the malicious SDK, read Snyk’s blog post and research analysis on SourMint here.