Homepage
About Snyk

Malicious Package Affecting mintegraladsdk package, versions <6.6.0.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    0.16% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-COCOAPODS-MINTEGRALADSDK-598852
  • published 24 Aug 2020
  • disclosed 18 Aug 2020
  • credit Snyk Security Team
Report a new vulnerability Found a mistake?

Introduced: 18 Aug 2020

CVE-2020-7705 Open this link in a new tab
CWE-1021 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade MintegralAdSDK to version 6.6.0.0 or higher.

Overview

MintegralAdSDK is a malicious package. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud.

Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers.

Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.

CVSS Scores

version 3.1
Expand this section

Snyk

7.1 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

8.1 high