An app called 开心日常英语 (“Happy Daily English”), which has been offered for download via Apple’s official App Store, has been revealed to be a fully functional third party App Store client for iOS, offering users in mainland China a way to install modified versions of iOS apps on non-jailbroken devices.
Its discovery shows that there are new techniques that can be used to fool Apple reviewers into allowing potentially malicious apps into the App Store, that enterprise certificates can be easily abused, and that there are ways for bypassing Apple’s prohibition of apps dynamically loading new code.
How did this happen?
The app hasn’t been flagged as potentially dangerous by Apple’s strict code reviewers, most likely because the app was made to look like a simple app for learning English if a reviewer (or user) accessed the app from anywhere outside China, and showed its true face only for those located in China.
Also, it’s coded in the Lua programming language, and this allows the developers to update the app remotely and repeatedly without triggering Apple’s app review process.
The app was available for download in the App Store for over three and a half months (since October 30, 2015 to the end of last week), but has now been removed.
The researchers haven’t discovered any actual malicious functionality in the app, but given its capabilities, it should definitely be considered risky to use. They dubbed it ZergHelper, and discovered over 50 enterprise signed versions of the app being distributed in the wild through alternative channels.
ZergHelper allows the installation of modified (and potentially malicious) versions of iOS apps, abuses enterprises certificate and personal certificates to sign and distribute apps, asks users to input an Apple ID and uses it to log in to an Apple server to perform operations in background, and offers valid Apple IDs to users who don’t have one or don’t want to user their own (it’s still unknown were these Apple IDs came from).
“In addition to its abuse of enterprise certificates, this riskware used some new and novel approaches to install apps on non-jailbroken devices,” the researchers pointed out.
“It re-implemented a tiny version of Apple’s iTunes client for Windows to login, purchase and download apps. It also implemented some functionalities of Apple’s Xcode IDE to automatically generate free personal development certificates from Apple’s server to sign apps in the iOS devices – which means the attacker has analyzed Apple’s proprietary protocols and abused the new developer program introduced eight months ago.”
So far, it seems that ZergHelper didn’t steal any account information, and collected only some device info for statistical purposes.
“ZergHelper’s main functionality appeared to be to provide another App Store that includes pirated and cracked iOS apps and games,” the researchers noted.
The app was developed by a company in China, and the developers used the open-source, original “Happy Daily English” app and embedded in it their own code.