The Secure Developer

Many developers and publishers serve as unwitting vehicles for malware. Today we speak with Snyk co-founder and Chief Security Officer Danny Grander about SourMint — a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. That was before it was exposed by the Snyk research team. We open our conversation by summarizing the scandal and unpacking what SourMint is, with details on how it tracks Android and iOS user behavior while allowing for remote command execution. We then dive into how Mintegral, the creators of the SDK, hid its behavior before exploring the range of apps affected by SourMint. After chatting about the role that Snyk plays in hunting for malicious code, Danny shares insights into how they discovered SourMint. We talk about SourMint’s victims and how we can assign responsibility to both developers and marketplace vendors. Near the end of the episode, we reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them. While the scale of SourMint’s reach seems unprecedented, it's a story that’s becoming increasingly common. Tune in to hear what we can do to protect ourselves from malicious code.