Millions of iOS users have unwittingly installed adware on their devices after downloading popular applications from a China-based third-party app store.
According to Trend Micro, the app store, called Haima, has been repackaging popular applications such as Minecraft, Terraria, Instagram, Facebook, QQ and Pokemon GO, and aggressively advertising them on YouTube and various social media websites.
Apple has a rigorous verification process in place to ensure that malicious applications are not published on its official app store. However, the company’s Developer Enterprise Program allows organizations to create and distribute in-house apps that are signed using an enterprise certificate.
Haima has been abusing this program to repackage legitimate applications with dynamic libraries that integrate modules from various ad networks, including Inmobi, Adsailer, Mobvista, Baidu and DianRu. These pieces of adware not only display ads, but they also consume victims’ mobile data traffic and expose their personal information.
Trend Micro reported that some of the apps served on Haima have millions of downloads, including Minecraft PE (68 million), Terraria (6 million), QQ (45 million) and Pokemon GO (1 million). On a different third-party app marketplace, Vietnam-based HiStore, experts discovered a similar adware-laden Pokemon GO app that had been downloaded more than 10 million times.
By signing the repackaged apps with iOS enterprise certificates obtained through the Developer Enterprise Program, the cybercrooks ensure that their applications can be installed on iOS devices. Starting with iOS 9, Apple has made it more difficult to trick users into installing such apps, and the company is quick to revoke misused certificates.
Nevertheless, users still install these applications and the adware developers quickly replace the revoked certificates – experts found more than five certificates being used in a 15-day timeframe.
“It doesn’t hurt their bottom line either— the income generated from Haima’s business model of distributing adware-carrying apps can more than offset the $299 price tag of an iOS enterprise certificate,” Trend Micro researchers explained.
It’s not uncommon for cybercriminals to abuse Apple’s enterprise certificates to sign malware. The developers of YiSpecter and WireLurker malware both leveraged this method to install their creations on a large number of devices in China.
The adware hosted on Haima is designed to collect information from infected devices, including IMSI and IMEI codes, jailbreak status, network information, device name and IP address. This data is sent to a C&C server and leveraged to deliver targeted ads.
Related Reading: Pirated App Store Client Slips Into Apple’s Official App Store
Related Reading: “SandJacking” Attack Allows Hackers to Install Evil iOS Apps
Related Reading: Attackers Can Install Malware on iOS via MDM Solutions