This article originally appeared in SC Magazine on June 25, 2019.
A new steganography campaign targeting iOS devices exploits demand-side adtech providers and adtech vendors to serve malware to millions of consumers.
The Media Trust Digital Security and Operations team has detected that at least five publishers, three demand-side vendors, and 11 other adtech vendors have been used to spread the malware Stegoware-3PC residing in PNG files on devices using iOS 12. The PNG files are embedded in fake ads supposedly representing well-known online retailers, but when clicked redirect the victim to a phishing scam site.
“The ads prompt visitors to shop and, in so doing, enter their personal information. The malware exfiltrates the information and sends it to a malicious command and control server,” wrote Mike Bittner, associate director of digital security and operations at The Media Trust.
The Digital Security and Operations team has supplied the affected adtech firms with the information needed to identify the source of the malware so it could be removed.
Bittner noted the introduction of Stegoware-3PC marked a technological jump in this type of malware’s sophistication using only 149 lines of code compared to almost 2,000 used by ShapeShifter-3PC.
“Stegoware-3PC’s parsimonious use of code belies its sophisticated techniques and procedures: it triggers two PNG files that conceal malicious code, makes use of multiple malicious domains once the users are redirected, and conducts various checks to make sure it is executing in an iOS device and not an Android device, a sandbox, or virtual machine,” he said.