Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Millions of iOS Users Install Adware From Third-Party App Store

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

According to Trend Micro, the app store, called Haima, has been repackaging popular applications such as Minecraft, Terraria, Instagram, Facebook, QQ and Pokemon GO, and aggressively advertising them on YouTube and various social media websites.

Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store. However, the company’s Developer Enterprise Program allows organizations to create and distribute in-house apps that are signed using an enterprise certificate.

Haima has been abusing this program to repackage legitimate applications with dynamic libraries that integrate modules from various ad networks, including Inmobi, Adsailer, Mobvista, Baidu and DianRu. These pieces of adware not only display ads, but they also consume victims’ mobile data traffic and expose their personal information.

Trend Micro reported that some of the apps served on Haima have millions of downloads, including Minecraft PE (68 million), Terraria (6 million), QQ (45 million) and Pokemon GO (1 million). On a different third-party app marketplace, Vietnam-based HiStore, experts discovered a similar adware-laden Pokemon GO app that had been downloaded more than 10 million times.

By signing the repackaged apps with iOS enterprise certificates obtained through the Developer Enterprise Program, the cybercrooks ensure that their applications can be installed on iOS devices. Starting with iOS 9, Apple has made it more difficult to trick users into installing such apps, and the company is quick to revoke misused certificates.

Nevertheless, users still install these applications and the adware developers quickly replace the revoked certificates – experts found more than five certificates being used in a 15-day timeframe.

“It doesn’t hurt their bottom line either— the income generated from Haima’s business model of distributing adware-carrying apps can more than offset the $299 price tag of an iOS enterprise certificate,” Trend Micro researchers explained.

It’s not uncommon for cybercriminals to abuse Apple’s enterprise certificates to sign malware. The developers of YiSpecter and WireLurker malware both leveraged this method to install their creations on a large number of devices in China.

The adware hosted on Haima is designed to collect information from infected devices, including IMSI and IMEI codes, jailbreak status, network information, device name and IP address. This data is sent to a C&C server and leveraged to deliver targeted ads.

Related Reading: Pirated App Store Client Slips Into Apple’s Official App Store

Related Reading: “SandJacking” Attack Allows Hackers to Install Evil iOS Apps

Related Reading: Attackers Can Install Malware on iOS via MDM Solutions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.