Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Millions of iOS Users Install Adware From Third-Party App Store

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.

According to Trend Micro, the app store, called Haima, has been repackaging popular applications such as Minecraft, Terraria, Instagram, Facebook, QQ and Pokemon GO, and aggressively advertising them on YouTube and various social media websites.

Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store. However, the company’s Developer Enterprise Program allows organizations to create and distribute in-house apps that are signed using an enterprise certificate.

Haima has been abusing this program to repackage legitimate applications with dynamic libraries that integrate modules from various ad networks, including Inmobi, Adsailer, Mobvista, Baidu and DianRu. These pieces of adware not only display ads, but they also consume victims’ mobile data traffic and expose their personal information.

Trend Micro reported that some of the apps served on Haima have millions of downloads, including Minecraft PE (68 million), Terraria (6 million), QQ (45 million) and Pokemon GO (1 million). On a different third-party app marketplace, Vietnam-based HiStore, experts discovered a similar adware-laden Pokemon GO app that had been downloaded more than 10 million times.

By signing the repackaged apps with iOS enterprise certificates obtained through the Developer Enterprise Program, the cybercrooks ensure that their applications can be installed on iOS devices. Starting with iOS 9, Apple has made it more difficult to trick users into installing such apps, and the company is quick to revoke misused certificates.

Nevertheless, users still install these applications and the adware developers quickly replace the revoked certificates – experts found more than five certificates being used in a 15-day timeframe.

“It doesn’t hurt their bottom line either— the income generated from Haima’s business model of distributing adware-carrying apps can more than offset the $299 price tag of an iOS enterprise certificate,” Trend Micro researchers explained.

Advertisement. Scroll to continue reading.

It’s not uncommon for cybercriminals to abuse Apple’s enterprise certificates to sign malware. The developers of YiSpecter and WireLurker malware both leveraged this method to install their creations on a large number of devices in China.

The adware hosted on Haima is designed to collect information from infected devices, including IMSI and IMEI codes, jailbreak status, network information, device name and IP address. This data is sent to a C&C server and leveraged to deliver targeted ads.

Related Reading: Pirated App Store Client Slips Into Apple’s Official App Store

Related Reading: “SandJacking” Attack Allows Hackers to Install Evil iOS Apps

Related Reading: Attackers Can Install Malware on iOS via MDM Solutions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.