Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Third-Party App Store Slips Inside iOS App Store

A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.

A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.

Dubbed “Household Accounts App” and claiming to be a financial helper app for families, the application is designed with Japanese characters, but the app store it leads to is written in Mandarin Chinese. The researcher discovered the program in the App Store of multiple countries and couldn’t determine exactly who it targets.

When launched for the first time, the application checks the PPAASSWOpenKey key in the system’s user preference plist, which allows it to determine if it has run before, because the key doesn’t exist if it hasn’t, the researchers explain. Next, the app switches to the else branch, which requests the right to use data to access the third-party store, but the user has to approve the request.

The third-party store can be used to install not only applications in the official iOS App Store, but also those that are distributed via unofficial channels, thus potentially exposing users to mobile malware and other unwanted applications. One of the programs distributed via this portal is “PG Client,” a tool for jailbreaking iOS devices.

In addition to this third-party store, the security researchers found a program designed to promote applications already in the App Store. Dubbed “LoveApp”, the software could bypass Apple’s arrangement of apps in searches and the paid Search Ads option and could create revenue by charging developers looking to promote apps without using Apple’s promotion service.

LoveApp was found to abuse iOS APIs that allow developers to display their app’s page, but did that to direct users from its own listing to the App Store listing of the promoted apps. This app also has a series of privacy issues, because the app was found to upload some user attributes to its servers at installation, including advertising identifier (idfa), which is used to count the number of downloads.

The app also uses a third-party SDK called TalkingData to gather information about the user’s behavior. The SDK has many aggressive API calls and can acquire various information about the user’s system, such as the Wi-Fi network name, running processes, and IP address. On jailbroken devices, it can also gather the user’s Apple ID and installed apps.

“We recommend that users be careful about downloading apps from third-party app stores. Apple can’t endorse the safety of any of the apps delivered via third-party stores, and such is the case here: users are still exposing themselves to various security threats (including malware and other unwanted apps). Organizations should put in place policies to reduce the risk from these malicious apps, such as blocking unapproved app stores and safeguarding personal devices,” Trend Micro notes.

Advertisement. Scroll to continue reading.

Related: Millions of iOS Users Install Adware From Third-Party App Store

Related: Pirated App Store Client Slips Into Apple’s Official App Store

Related: Rogue App Store Targets Non-Jailbroken iOS Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.