iOS-Based AdThief Malware Infects 75,000 Jailbroken iPhones

This week, details have emerged about a new strain of malware which is capable of hijacking major ad publication platforms on iOS devices, injecting itself into pop-ups in order to gain root access to a user’s phone.

According to the latest release of the Virus Bulletin newsletter, the infection, known as “AdThief”, has affected around 22 million ad displays on 75,000 separate jailbroken devices running nearly every cracked version of iOS on the iPhone 4 and 4s, and above. Initially discovered by independent mobile security researcher Claud Xiao of China back in March, the problem has only grown in spread and severity since first breaking out onto the scene.

Another researcher interested in AdThief, Axelle Aprville, then went on to study the mobile malware for a number of months before publishing her report in this month’s Virus Bulletin, posting detailed results of her tracking campaign and breaking down the exact methods that its designers used to ensure the program evaded detection and spread through a series of constantly shifting botnets that were coded to lay low until the last possible moment in order to spread effectively.

Aprville explains the malware’s tactics in greater detail here:

“Each time an end-user views or clicks on a given advertisement, the corresponding application developer (or partner, or affiliate) receives a small payment. This is what advertisement companies refer to as ‘cost per thousand impressions’ (CPM) or ‘click-through rate’ (CTR). To credit the right developer when ads are viewed or clicked, adkits identify developers (or partners etc.) with a developer ID.

iOS/AdThief modifies this developer ID, replacing it with an identifier owned by the attacker. Revenues are consequently hijacked, with all of the revenue generated when an ad is viewed or clicked being assigned to the attacker’s identifier.”

Many of the most widely used ad display software kits were targeted as a result of AdThief’s advanced stealth mechanics, including AdMob, AdSage, InMobi, and Weibo. The malware also crosses international boundaries, tripping its way across the date line multiple times through the Americas, Europe, and Asia in 32 different languages.

Obviously the risk of jailbreaking one’s phone is they lose all the standard security protocols installed by Apple, which currently makes it one of the safest, least-penetrable options available on the market today.

Tim Cook recently posted statistics at this year’s World Wide Developers Conference which show that in comparison with Android devices, 99 percent of all mobile infections are on Apple’s competitor’s platform, most of which are distributed and maintained by networks set up in Google’s almost-ubiquitously infected Play store.

Many believe this stark difference in statistics is due to the way that each company chooses to vet the apps that eventually make it on to their online marketplaces. The App Store, which can often take several weeks to approve even the slightest update for an app, relies on a stringent (and massive) team of human operators who comb through the code of every submission by hand, who can rely on their personal experience and intuition to decide whether or not an app poses a threat to their users.

This process has ensured the App Store has remained almost entirely malware free, whereas Google Play has taken the much lazier, though more cost-effective, route of entrusting this process to an automated program, called Bouncer.

Bouncer can be easily fooled by even the most rudimentary viruses, and due to the fact that it relies on a virtualized environment in order to run checks on potential Play Store submissions, all hackers need to do is run their equipment in sandbox mode in order to make it through the process without a problem.

Of course, when a user decides to jailbreak their iOS device, all these checks and balances that the Apple security team spent years and tens of millions of dollars to set up go right out the window, and devices become a Wild West-esque combo of threat-attracting honeypots that not even the most disciplined of criminal organizations can resist.