CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Millions of iOS Users Install Adware From Third-Party App Store

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

According to Trend Micro, the app store, called Haima, has been repackaging popular applications such as Minecraft, Terraria, Instagram, Facebook, QQ and Pokemon GO, and aggressively advertising them on YouTube and various social media websites.

Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store. However, the company’s Developer Enterprise Program allows organizations to create and distribute in-house apps that are signed using an enterprise certificate.

Haima has been abusing this program to repackage legitimate applications with dynamic libraries that integrate modules from various ad networks, including Inmobi, Adsailer, Mobvista, Baidu and DianRu. These pieces of adware not only display ads, but they also consume victims’ mobile data traffic and expose their personal information.

Trend Micro reported that some of the apps served on Haima have millions of downloads, including Minecraft PE (68 million), Terraria (6 million), QQ (45 million) and Pokemon GO (1 million). On a different third-party app marketplace, Vietnam-based HiStore, experts discovered a similar adware-laden Pokemon GO app that had been downloaded more than 10 million times.

By signing the repackaged apps with iOS enterprise certificates obtained through the Developer Enterprise Program, the cybercrooks ensure that their applications can be installed on iOS devices. Starting with iOS 9, Apple has made it more difficult to trick users into installing such apps, and the company is quick to revoke misused certificates.

Nevertheless, users still install these applications and the adware developers quickly replace the revoked certificates – experts found more than five certificates being used in a 15-day timeframe.

“It doesn’t hurt their bottom line either— the income generated from Haima’s business model of distributing adware-carrying apps can more than offset the $299 price tag of an iOS enterprise certificate,” Trend Micro researchers explained.

Advertisement. Scroll to continue reading.

It’s not uncommon for cybercriminals to abuse Apple’s enterprise certificates to sign malware. The developers of YiSpecter and WireLurker malware both leveraged this method to install their creations on a large number of devices in China.

The adware hosted on Haima is designed to collect information from infected devices, including IMSI and IMEI codes, jailbreak status, network information, device name and IP address. This data is sent to a C&C server and leveraged to deliver targeted ads.

Related Reading: Pirated App Store Client Slips Into Apple’s Official App Store

Related Reading: “SandJacking” Attack Allows Hackers to Install Evil iOS Apps

Related Reading: Attackers Can Install Malware on iOS via MDM Solutions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.