The Youmi advertising software development kit (SDK) that was responsible for 256 iOS apps being pulled from the Apple App Store is also used in Android app development and has been blocked by Symantec and Norton products since February 2015.
Analysis of the Android variant of Youmi (detected by Symantec as Android.Youmi) flagged it as a potentially unwanted application since it performed a range of actions that could compromise the user’s privacy.
The Youmi ad library was found sending the following information to a remote location:
- Device location (such as GPS coordinates and cell tower location)
- Device-identifying information (such as International Mobile Station Equipment Identity (IMEI), kernel version, phone manufacturer, or phone model details)
- Network operator location
- Phone number
The ad library was also found to download and request the installation of new applications and create shortcut advertisements on the home screen or in the application list.
App analytics firm SourceDNA this week found that 256 iOS apps containing Youmi on the App Store were sending back personal and device information on users without their knowledge or consent. This included:
- A list of all applications installed on the iOS device
- The platform serial number of iPhones and iPads running older versions of iOS
- A list of hardware components and the serial numbers for devices running new versions of iOS
- The Apple ID email address associated with the iOS device
In a statement, Apple confirmed that all 256 apps used the Youmi SDK, and were using private APIs to gather information about the user and route it back to a company server. The apps had been pulled from the App store because this behavior was in violation of Apple’s security and privacy policies. Apple added that it would no longer accept apps developed using the Youmi SDK.
This is the second time in recent months that Apple has had to remove apps from the App Store because they compromised the user’s privacy. In September a number of apps were withdrawn after they were found to have been developed using XcodeGhost, a malicious version of Apple’s software developer environment for iOS and Mac OS X apps (detected by Symantec as OSX.Codgost). Apps created with this malicious Xcode variant were configured to collect information on devices and upload that data to command-and-control (C&C) servers.
While Apple makes Xcode freely available, developers in China experienced difficulties downloading it directly from the company. As a result, a number of Chinese developers resorted to downloading copies hosted on local sites. Unbeknownst to them, attackers modified one such package to create XcodeGhost. Apple has said it will offer locally hosted Xcode downloads within China in future.
Mitigation
There is no indication that any app developer who used the Youmi SDK in their products was aware of its malicious behavior. Mobile app developers are advised to stop using Youmi to develop apps for any platform.
Protection
Symantec and Norton products detect the Android variant of Youmi as Android.Youmi.