CVE-2020-7705

Name of the Vulnerable Software and Affected Versions MintegralAdSDK versions 0.0.0 and later

Description The issue concerns malicious functionality within the MintegralAdSDK that tracks and reports any URL opened by the app, facilitating advertisement attribution fraud. The SDK can remotely activate hooks on various methods, including UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters, and NSURLProtocol, along with employing anti-debug and proxy detection protection. If these hooks are active, the MintegralAdSDK sends obfuscated data about every opened URL to its servers, even if the SDK is not enabled for serving ads.

Recommendations For MintegralAdSDK version 0.0.0, consider disabling the SDK until a patch is available to prevent the malicious functionality from tracking and reporting URL openings. As a temporary workaround, restrict access to the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters, and NSURLProtocol methods to minimize the risk of exploitation. Avoid using the MintegralAdSDK for serving ads until the issue is resolved to prevent advertisement attribution fraud.