You may have read about Apple pulling over 250 iOS apps from the App Store for various privacy violations. This was because these apps used the Youmi advertising software development kit (SDK), which is also used in Android app development. Apple pulled the apps from its App store because this behavior was in violation of their security and privacy policies. Symantec and Norton products have blocked this particular development kit since February 2015. Norton products detect the Android variant of Youmi as Android.Youmi.
Analysis of the Android variant of Youmi found that it could compromise the user’s privacy by remotely sending the following information to an attacker:
- Device location (such as GPS coordinates and cell tower location)
- Device-identifying information (such as International Mobile Station Equipment Identity (IMEI), kernel version, phone manufacturer, or phone model details)
- Network operator locations
- Phone numbers
- A list of all applications installed on the iOS device
- The platform serial number of iPhones and iPads running older versions of iOS
- A list of hardware components and the serial numbers for devices running new versions of iOS
- The Apple ID email address associated with the iOS device
In addition to stealing information, the ad library was also found to be downloading and requesting the installation of new applications, and creating shortcut advertisements on the home screen.
In a statement, Apple confirmed that all 256 apps used the Youmi SDK, and were gathering information about the user and routing it back to a remote server.
This is the second time Apple has recently removed apps from the App Store due to compromising user’s privacy. In September, Apple removed dozens of Chinese-language iOS apps infected with XcodeGhost malware which allowed attackers to hijack browsers and create fake phishing alerts to steal usernames and passwords.
How To Stay Protected:
- Delete the app and wait for a new version of the app to be made available
- Watch out for any suspicious emails or push notifications to your device asking for your Apple credentials, or any personally identifying information