Malicious Package
Description
MintegralAdSDK (iOS) contains malicious functionality that tracks opened URLs and performs ad fraud, even when SDK is not enabled for ads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MintegralAdSDK (iOS) contains malicious functionality that tracks opened URLs and performs ad fraud, even when SDK is not enabled for ads.
Vulnerability
MintegralAdSDK iOS versions 5.5.1 and above (up to 6.3.5.0) contain malicious code that hooks into UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters, and NSURLProtocol methods [1][2]. Even when the SDK is not enabled to serve ads, it tracks every URL opened by the app and sends obfuscated data to Mintegral servers, along with performing advertisement attribution fraud [2][3]. Anti-debug and proxy detection protections are included [1].
Exploitation
Mintegral can remotely activate the hooks on the mentioned iOS methods [3]. No user interaction is required beyond using an app that includes the SDK. The malicious functionality is silently active as soon as the app runs, logging all URL-based requests [2]. The SDK also examines open URL events to detect competitor ad networks and fraudulently report clicks [2].
Impact
Attackers (Mintegral) gain access to every URL opened within the app, potentially including personally identifiable information (PII) and other sensitive data [2]. Additionally, the SDK performs ad fraud by stealing revenue from competing ad networks and publishers through false click attribution [2]. This results in information disclosure of user activity and financial loss to app developers and other ad networks.
Mitigation
Upgrade MintegralAdSDK to version 6.6.0.0 or higher to remove the malicious functionality [3]. If upgrading is not possible, remove the SDK from the application entirely. There is no known workaround for versions below 6.6.0.0. The malicious behavior has been disclosed publicly in August 2020 [2], and Apple and Google were notified.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mintegral/MintegralAdSDKdescription
- Range: >=0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The MintegralAdSDK binary contains malicious method-swizzling hooks that intercept UIApplication openURL, SKStoreProductViewController loadProductWithParameters, and NSURLProtocol methods to exfiltrate every URL opened by the app, along with a remotely-configurable backdoor for arbitrary native function invocation via MTGBaseBridgeWebView."
Attack vector
An attacker (the SDK vendor) distributes the malicious SDK via CocoaPods; the malicious code in _CXX_CXX_OperationPKTask.load executes automatically at runtime regardless of whether the developer explicitly enables ads [ref_id=1]. The SDK contacts setting.rayjump.com to receive a JSON configuration that enables hooks for openURL, StoreKit, and NSURLProtocol interception [ref_id=1]. Once activated, every URL the user opens (including deep links, App Store product pages, and HTTP requests with Authorization headers) is encoded and sent to n.systemlog.me/log [ref_id=1]. The SDK also includes anti-debug, jailbreak, simulator, and proxy detection to evade analysis [ref_id=1].
Affected code
The malicious logic resides in the _CXX_CXX_OperationPKTask.o binary within the MintegralAdSDK Mach-O executable [ref_id=1]. The load method triggers ___cxxwebk_init_vw, which installs method-swizzling hooks on UIApplication openURL, SKStoreProductViewController loadProductWithParameters, and registers a custom NSURLProtocol subclass [ref_id=1]. The backdoor uses MTGBaseBridgeWebView.handleNativeObject:parameters: with MTGRemoteCommandParser and MTGCommandDispatcher to invoke arbitrary native functions [ref_id=1].
What the fix does
Mintegral released version 6.6.0.0 which removed the malicious _CXX_CXX_OperationPKTask component and the backdoor classes (MTGCommandDispatcher, MTGRemoteCommand, MTGRemoteCommandParser, MTGInvocationBoxing) identified in the diff analysis [ref_id=1]. The open-source release allowed verification that the method-swizzling hooks and remote-command backdoor were deleted. No patch is provided in the bundle beyond this version bump; the advisory recommends updating to 6.6.0.0 or later [ref_id=1].
Preconditions
- configThe app must include the MintegralAdSDK pod (versions 5.5.1 through 6.5.0.0) via CocoaPods or direct binary integration
- inputThe SDK's load method executes automatically on app launch; no developer action is required to enable the malicious functionality
- networkThe SDK must be able to reach setting.rayjump.com to fetch the remote configuration that activates the hooks
- configThe device must not be a simulator, jailbroken, or have a proxy enabled (anti-analysis checks suppress the hooks)
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/mitrex_refsource_MISC
- snyk.io/research/sour-mint-malicious-sdk/mitrex_refsource_MISC
- snyk.io/vuln/SNYK-COCOAPODS-MINTEGRALADSDK-598852mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.