Researchers from Proofpoint say they recently discovered a rogue app store that lets iOS device users download apps from a catalog offering more than 1 million apps, without having to jailbreak their device.
Called vShare, the rogue app store allows paid apps to be downloaded for free and has existed for several years, allowing owners of Android devices and jailbroken iPhones and iPads to download various applications.
Now, the marketplace has found a way to serve apps even on iOS devices that haven’t been tempered with, be letting users “sideload” the apps into to their smartphones and tablets.
Security experts from Proofpoint called this type of app store “DarkSideLoader”, because the application loading mechanism it uses puts user security at risk and because these apps use private iOS APIs to access operating system functions that are off limits to apps that have been vetted by Apple for publishing on the official app store.
Sideloading, which involves downloading and installing apps onto a mobile device from sources other than the official store, requires a change in settings on Android, but typically involves jailbreaking an iOS device or trusting the developer associated with an app in older versions of iOS.
"On iOS devices installing unapproved apps was previously only possible by jailbreaking an iPhone or iPad. However, the DarkSideLoader technique allows sideloading of apps through the use of a fraudulent or stolen enterprise app distribution certificate coupled with app re-signing," Proofpoint explained in a blog post.
While Android users only need to enable the ability to install apps from unknown sources in their device’s Settings menu, the process is more complicated on iOS, where users don’t have control over this option on non-jailbroken devices. The vShare app circumvents this by being signed with an Enterprise App distribution certificate, issued by Apple (such certificates are usually issued for enterprises that have internal app stores).
When the user clicks on a link to a website hosting URLs to the malicious app store, the DarkSideLoader app is downloaded, and owners of iOS 7 and 8 devices are asked to trust the publisher when running the app. After that, the app installs the enterprise certificate on the device and is able to run and to install additional applications on the compromised iPhone or iPad.
In line with the latest changes Apple has made to sideloading, owners of iOS 9 devices won’t be prompted to trust the publisher, but have to head to the Settings app, head to Profiles, click on the publisher’s name, and then select Trust. To ensure that users perform each step of this process, the DarkSideLoader app offers detailed information on how it should be enabled.
The researchers also warn that these rogue marketplace apps could use known or zero-day security vulnerabilities to jailbreak devices or to gain administrator privileges. Additionally, getting around the official Apple app store vetting process allows the downloading of apps that could act as Remote Access Trojans, enabling attackers to access to mobile devices.
When corporate employees are involved, the risks are even higher, as attackers could access the compromised devices when they are active on internal corporate networks. What’s even more worrying is the fact that the vShare marketplace is accessible to iOS devices from anywhere in the world, albeit previous similar stores were accessible only to devices with Chinese IP addresses.
“This is a criminal gang intent upon distributing modified apps — they will evade detection and takedown, similar to the criminal malware gangs we see on PCs and through email,” a company spokesperson told SecurityWeek.
This attack technique also allows cybercriminals to load various configuration profiles onto iOS devices that make it possible for them to configure VPN settings to redirect network traffic to man-in-the-middle nodes. They can also change various other operating system settings, eventually compromising the entire device.
The vShare DarkSideLoader marketplace application was also found to affect Android devices, and the threat appears to be similar to that on iOS. The Android app was found to attempt to root devices and install applications without asking for user permissions, in addition to communicating with known malicious sites on the web.
When the DarkSideLoader marketplace app is used to download software, it automatically signs apps with the aforementioned enterprise certificate to ensure that they can run as if they came from the official App Store. However, the rogue marketplace also decrypts, modifies, and re-signs legitimate games and applications, thus turning them into possibly malicious ones.
Third-party marketplaces might appeal to users because they offer apps, games and other content unavailable via the official stores, and because they may offer paid apps for free. The vShare marketplace has 15,000 iOS apps available through the DarkSideLoader site, and is estimated to have around 10 million iOS users, alongside 400k Android apps and 30 million Android users.
Proofpoint researchers explain that DarkSideLoader marketplaces can obtain fraudulent enterprise certificates by creating a fake company and requesting one from Apple or by imitating a real company and getting Apple to issue an enterprise iOS developer account and app distribution certificate. They might also steal these certificates from legitimate companies that have one by phishing the Apple developer website credentials of such a company.
Apple usually revokes the certificates found to be associated with rogue marketplaces, but the masterminds behind such operations are able to obtain multiple certificates and change them when they are no longer valid. The vShare marketplace has used multiple app distribution certificates in the recent months as well.
According to Proofpoint, a survey conducted among ten largest US enterprises using TAP Mobile Defense revealed that 40 percent had employees actively using a DarkSideLoader-enabled rogue app marketplace. The security firm warns users not to trust these rogue app stores, even if they own non-jailbroken iOS devices and advises enterprises to deploy solutions that can detect the presence of apps from DarkSideLoader marketplaces, to ensure the safety of their employees and network environments.