Poison app peddled in Apple’s “safe” store

poison-appleApple is proud of the fact it polices its App store more carefully than Eastern Europe managed during the cold war. However it turns out that at least one got over the Berlin Wall.

An app called 开心日常英语 (“Happy Daily English”), which has been offered for download via Apple’s official App Store is offering users in mainland China a way to install modified versions of iOS apps on non-jailbroken devices. The app was available for download in the App Store for over three and a half months, but has now been removed.

What is interesting is that the people who created the app fooled Apple reviewers into allowing potentially malicious apps into the App Store by using an enterprise certificate.

The app was not flagged as potentially dangerous by Apple’s strict code reviewers, most likely because the app was made to look like a simple app for learning English. It only showed its true face only for those located in China.

It was coded in the Lua which allowed developers to update the app remotely and repeatedly without triggering Apple’s app review process.

To be fair the researchers haven’t discovered any actual malicious functionality in the app but given what it does it should never have gotten onto the Apple store. There are more than 50 enterprise signed versions of the app being distributed in the wild through alternative channels.

Dubbed ZergHelper it allows the installation of modified versions of iOS apps, abuses enterprises certificate and personal certificates to sign and distribute apps, asks users to input an Apple ID and uses it to log in to an Apple server to perform operations in background, and offers valid Apple IDs to users who don’t have one or don’t want to user their own.

The programmers used a cut down version of Apple’s iTunes client for Windows to login, purchase and download apps. It also implemented some functionalities of Apple’s Xcode IDE to automatically generate free personal development certificates from Apple’s server to sign apps in the iOS devices.

What this means for Apple is that the attacker has analysed Apple’s proprietary protocols and abused the new developer program introduced eight months ago.”

It has not stolen account information, and collected only some device info for statistical purposes.

ZergHelper’s main functionality is to provide another App Store that includes pirated and cracked iOS apps and games.