A new malware by the name of AdThief is infecting jailbroken iOS devices. The malware injects itself as a Cydia Substrate extension, and steals ad revenues from developers by swapping advertising identifiers.
AdThief malware was described in detail by security researcher Axelle Apvrille in a paper published in Virus Bulletin. The paper says that the malware was first found in March 2014, and has infected over 75,000 devices till now. By swapping the developer’s legitimate advertising identifiers with their own, the creators of AdThief have managed to hijack nearly 22 million mobile ads.
Cydia Substrate is a framework that makes it very easy to modify apps and system software running on iOS devices, and it powers nearly every jailbreak tweak. AdThief creators use the same functionality to replace publisher identifiers of various ad networks with their own. The malware covers 15 different ad networks from US, China and India.The creator of the malware was found to be a Chinese hacker who goes by “Rover12421” and “zerofile” on social networks and forums, and specialises in mobile platforms. The hacker says that he only developed a prototype version of the malware, and that he has no hand in distributing this malware.
The paper doesn’t talk about how the malware spreads, but it’s likely it comes through tweaks and apps installed from untrusted Cydia sources. So be careful and ensure that all the sources you add and the packages you install come from reliable sources.