SourMint? Protecting yourself from click hijacking fraud on iOS
Singular releases first-to-market protection against iOS click hijacking attack
Ad fraud is continuously evolving, and this week a security firm Snyk found evidence of malicious code in an iOS SDK. According to Snyk, the malicious code spies on users’ clicks and activity in apps and uses this data to perform ad fraud. Snyk called the exploit “SourMint.”
This blog post will address the following questions:
- What’s new about this attack?
- How does Singular detect these attacks?
- How can I protect my app?
What’s new about this attack?
Snyk’s report on “SourMint” shows that ad network SDKs can monitor and interfere with API calls performed by the integrating app or other SDKs it uses. These activities include snooping URL opens and App Store opens. As publishers use the SDK for ad monetization alongside other ad-monetization SDKs, these abilities allow perpetrators to perform a type of fraud known as Click Hijacking.
As the first malicious SDK of this kind to infiltrate the iOS ecosystem, SourMint was very sophisticated. It avoided detection for so long by utilizing various obfuscations and
anti-debugging tricks. Developers were unaware of the malicious package upon deploying the application, allowing it to proliferate for more than a year.” – Danny Grander, Snyk co-founder and CSO
Click Hijacking happens when a fraudulent party detects a legitimate ad click and injects their click afterward to win the attribution in a last-click attribution model. Click Hijacking is often confused with Click Injection, and while both monitor user activity to generate fake clicks, they are very different. Click Injection monitors the OS for new apps installs, while Click Hijacking monitors ad-serving apps for ad clicks. The difference is not just semantic, as fraud prevention methods built for Click Injection don’t work against Click Hijacking.
The attack becomes even scarier since integration with the SDK is extremely easy when using ad-mediation platforms. Once integrated, the SDK can perform its attacks without even being initialized. Developers might think that they are protected if they don’t actively use the SDK, but in fact, they’re unknowingly loading the malicious code and allowing it to run.
SourMint and other such attacks chiefly impact ad networks and publishers as they miss out on real attributions for actual installs that they should’ve been credited. At the same time, it still has a significant impact on advertisers and their reporting. Specifically, falsely attributed installs can lead to higher CPIs and skews in your data, which can cause misguided decision making and budget allocation.
Up to now, Click Hijacking and Injection were common in Android. This is the first time an attack of this type and magnitude is happening in iOS. And it is a big deal.
Detecting Click Hijacking attacks in the wild
Once learning of the attack, we immediately turned to the data to see if we could detect clues of Click Hijacking in the wild, and that’s exactly what we found.
Since Click Hijacking attacks inject an additional click after the user has shown intent and taken to the store, we expect to see more than one network competing over the same attribution. The fake click would be injected shortly after the real click to make sure it’s logged before an install happens. This behavior results in a unique signal: a very short time-frame in which two or more clicks from different networks are observed for the same advertised app. In normal circumstances, we would expect two such clicks to have a significant time difference between them.
We checked our logs to find any installs that meet the following conditions:
- Attribution has more than one matching click (winning click and contributor)
- The winning click originated from a different network than the contributor click
- The duration between these two clicks was very short (i.e. less than 2 minutes)
The scenario above is unlikely to happen in real life as it requires the user to click on ads in two different ad networks in a very short period.
We ran this analysis and found evidence of Click Hijacking activity in some SDK-based networks, and compared the rate of suspicious activity before and after the publication by Snyk:
The data shows a clear dramatic decrease that⁄ happened within less than 24 hours from the publication time of Snyk’s report!
The steep decrease indicates that the fraudsters who have been engaged in such activities, scaled down the operation to avoid backlash and detection following the publication.
First-to-market tech to combat click hijacking
We take the threat of ad fraud very seriously at Singular, so our Fraud Prevention team immediately got to work on new technology to detect and stop this scheme. Within 48 hours of the SourMint attack getting exposed, we built and released a new fraud prevention method to combat future attacks of its kind — Click Hijacking Prevention. This prevention method works by detecting when a click from one source is followed closely by a click from a second source and then rejecting or flagging the click from the second source. Singular Attribution customers can now enable Click Hijacking Prevention in their global fraud settings.
Much like Singular’s other fraud prevention methods, Click Hijacking Prevention can be further customized by creating rules with custom click-to-click time thresholds and coupling it with other conditions.
Note that Click Hijacking Prevention is included for all Singular Attribution customers without any additional add-on fees.