Chinese devs abuse free Apple app-testing certs to install pirated apps

Sideloading technique for testing iOS apps empowers malware on non-jailbroken devices

A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices. Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing.

The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem. Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple.

There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program.

Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it's not the most interesting one.

According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September. Xcode is the main tool -- or integrated development environment (IDE) -- used to develop iOS and Mac OS X apps.

Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. This makes it a lot easier to test apps without enrolling in Apple's Developer Program, which requires a $99 per year subscription.

To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out.

"We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode -- in effect, successfully cheating Apple’s server," the Palo Alto Networks researchers said in a blog post.

Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse "in a wide-ranging and automated way," the researchers said.

In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them. That post has since been deleted, the researchers said.

ZergHelper is also providing free Apple IDs to users and it's not clear where those IDs are coming from and whether the app steals them from other devices. The app was available in the official app store from the end of October until Saturday, when Apple removed it after being alerted by Palo Alto Networks.

The company's researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices.

Its creators appear to have tricked Apple's reviewers by using simple tricks. The app was submitted to the app store under the name "Happy Daily English" (in Chinese) and was presented as a helper app for learning English.

Once installed on a phone, the app behaved as advertised if the user's IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. This is similar to the process that a device goes through when it's enrolled into a mobile device management system.

Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free.

"We don’t know where the App Store reviewers are located," the Palo Alto Networks researchers said. "If they are not located in mainland China, this method could trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior."

The app also used another increasingly popular technique that allows developers to dynamically change their apps' code without submitting a new version to the official app store for review. This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods.

While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates.

"This is of concern because the abuse of these certificates may be the first step toward future attacks," the Palo Alto Networks researchers said.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.indeedPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place