Update: Apple has now commented on the allegations, stating that it has found no evidence that apps using Mintegral's SDK are harming users.
As reported by SecurityWeek, the platform holder has spoken with security firm Snyk about its findings surrounding Mintegral's alleged ad fraud so it can be fully informed about the research.
Apple has said that developers are responsible for how their products behave, and should be cautious when using third-party code. However, it has also noted that third-party code can introduce unintended functionality, and claims the behaviour found by Snyk is "all too common".
Original Story: Mobvista-owned ad network Mintegral has been accused of major ad fraud across over 1,200 apps.
As reported by Forbes, since July 2019, the number of installs the allegedly affected apps has seen is 300 million each month. One such application that is said to use the SDK is Helix Jump; the hypercasual game has amassed 500 million installs alone. Further apps affected include Outfit7's Talking Tom, PicsArt, Playrix's Gardenscapes and Sybo's Subway Surfers, the latter of which recently broke three billion downloads.
The breach was first noticed by security firm Snyk, who informed Apple of the alleged issues last week.
"We identified an SDK malicious component that is getting integrated into different iOS applications and getting into the App Store. That SDK is distributed as a regular ad network, something that developers can use to monetize their apps through ads," said Snyk chief security officer and co-founder Danny Grander.
In summary, the SDK is supposedly tracking when users make app installs through an ad, and sending out a fake click to "steal" the attribution for the install, thus making money for Mintegral. Allegedly, hundreds of millions may have been earned through the reported scheme.
"Developers can sign up as publishers and download the SDK from the Mintegral site," said Snyk.
"Once loaded, the SDK injects code into standard iOS functions within the application that execute when the application opens a URL, including App Store links, from within the app. This gives the SDK access to a significant amount of data and even potentially private user information. The SDK also specifically examines these open URL events to determine if a competitor's ad network SDK was the source of the activity."
Just a rumour
Mintegral has since responded to the accusations. Taking to Twitter (below), the Chinese company claimed "these allegations are not true. We are taking this matter very seriously and are conducting a thorough analysis of these allegations and where they are coming from."