Malicious Package Affecting mintegraladsdk Open this link in a new tab package, versions <6.6.0.0


0.0
high
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • User Interaction

    Required

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-COCOAPODS-MINTEGRALADSDK-598852

  • published

    24 Aug 2020

  • disclosed

    18 Aug 2020

  • credit

    Snyk Security Team

How to fix?

Upgrade MintegralAdSDK to version 6.6.0.0 or higher.

Overview

MintegralAdSDK is a malicious package. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud.

Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers.

Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.