updated 09:08 am EDT, Wed August 20, 2014
Package changes developer ad ID with that of assailant with Cydia Substrate
A new piece of malware has started infecting jailbroken iOS devices earlier this year. The "AdThief" or "Spad" package hijacks advertising clicks and revenue, and redirects them to the author of the package, rather than the developer who inserted the advertising in the first place. The malware is simple and low profile -- it replaces the developer's ID with the attacker's ID. Mobile ad kits targeted by the AdThief malware are mostly from Chinese vendors, with four in the US, and a pair in India.
Publication Virus Bulletin has likely identified the original author as "Rover12421," who is known for Android hacks. In a public comment in March, he claimed that the package was "closed" and denies having anything to do with the release of the package.
Virus Bulletin (PDF) claims that 22 million ads have had income redirected, but it is unknown how much actual revenue this has generated. The package requires the Cydia Substrate, the layer that allows custom code to be loaded and execute on jailbroken devices. Without the substrate, the virus has no effect and can't install, so un-jailbroken devices remain immune to the attack.