The Mintegral SDK, a popular mobile app advertising SDK, has been found to have several malicious features that can be exploited by attackers. These include excessive data collection on both iOS and Android platforms, remote code execution (RCE) on iOS devices, and download tracking in Android. The SDK uses method swizzling to replace implementations of the UIApplication openURL and SKStoreProductViewController loadProductWithParameters methods at runtime, allowing it to spy on user link clicking and network activity within affected apps. This can be used to perform advertisement attribution fraud. Additionally, the SDK has a backdoor that allows for RCE on iOS devices. The Android distribution of the SDK tracks all APK downloads, both organic and not, and reports this data to Mintegral's servers. A demo app was created to demonstrate the behavior, including enabling net debug flag with reflection to bypass anti-debug logic and downloading files from URLs that contain Google.com or end with .apk. The research team responsibly disclosed their findings to Apple, IronSource, MoPub (Twitter), and Google. Mintegral has released several versions of its SDK since the initial discovery, removing some of the malicious features. However, a backdoor was found in iOS version 6.3.5.0, allowing for RCE. The research team continues to monitor the situation and will disclose any new findings as they become available.