Apple removed an iOS application from its Chinese iTunes App Store that allowed users of non-jailbroken iOS devices to install pirated and jailbroken apps. Researchers at Palo Alto Networks, who discovered the rogue application, said the app was not malicious, but presented a serious security risk if developers behind the application used the crack in Apple’s walled garden to distribute malware.
Ryan Olson, director of threat intelligence for Palo Alto Networks, told Threatpost the app used a sophisticated method of bypassing Apple’s strict review process. He said the app’s developers took advantage of certificates issued by the Apple Developer Enterprise Program in tandem with the Apple developer tool Xcode.
“This is a sophisticated new approach of successfully evading Apple’s code review,” Olson said. “We have classified this app as Riskware because we have not identified any malicious functionality in the app,” he said.
The Chinese app, which Palo Alto named ZergHelper or XY Helper, was discovered over the weekend by researcher Claud Xiao who posted a description of the his findings on Sunday.
Here is how Chinese developers tricked Apple in three steps:
First, developers created a fully functional English language learning app called Happy Daily English. The app, according to Xiao, “appears to have gotten by Apple’s app review process by performing different behaviors for users from different physical locations. For users outside of China, it would act as what it claimed: an English learningĀ app. However, when accessing the app from China, its real features would appear.”
When used inside China and with China-based IP addresses, the ZergHelper app was called XY Helper. “ZergHelper’s (XY Helper) main functionality appeared to be to provide another App Store that includes pirated and cracked iOS apps and games,” Xiao wrote.
By modifying the apps’ functionality and name based on geographic location, Palo Alto researchers say, the Chinese developers were able to trick Apple reviews, located outside the US, to believe the app preformed only as an English language tool.
Next, developers behind the ZergHelper app were able to install pirated apps on non-jailbroken iOS devices by abusing a combination of Apple’s enterprise certificates and its Xcode 7 developer certificates.
In order to run pirated iOS apps from the bogus Apple app store, users of ZergHelper who downloaded an app were unknowingly accepting an Apple Developer Enterprise Program certificate. The Apple Developer Enterprise Program is designed to allow Apple enterprise customers to build and deploy custom apps that do not appear in the App store.
According to Palo Alto researchers, once a pirated app was installed on the iOS device, ZergHelper would then silently certify the app in question using Apple’s Xcode 7 program. Xcode is used by developers so they can build apps, sign them and have them run on their own devices before publishing them to Apple’s official app store.
“We don’t know if there are other applications out there that have this capability,” Olson said. “It’s possible. Apple removed this app from its store. But this is the kind of thing that causes a continuous arms race between good guys and bad guys.”
A bad acting application, Olson said, could gain access to shared data on an iOS client. That app could then have access to the devices camera, microphone, contacts, location information and data that is shared between apps on the phone.
The app was made available in the official Chinese Apple App Store on October 30, 2015 and removed by Apple Feb. 19 after Palo Alto Networks alerted Apple to ZergHelper’s hidden functionality.
