Apple has been forced to remove a risky app which managed to bypass its strict code review process and end up on the official App Store.
The app in question was identified by Palo Alto Networks as “?????? (Happy Daily English),” but renamed by the company ‘ZergHelper.’
It was officially classified as “riskware” by the security vendor, who described it in a blog post as a “complex, fully functional third party App Store client for iOS users in mainland China.”
Specifically, the app provides an installation of modified versions of iOS apps “whose security can’t be ensured,” as well as requesting users’ Apple ID to perform a variety of operations in the background.
It also abuses enterprises and personal certificates to sign and distribute apps.
Palo Alto Networks added that ZergHelper’s author is trying to extend its capabilities via dynamic updating of its code, which could further bypass iOS security restrictions.
It seems to have been able to bypass Apple’s review process by virtue of the fact it performs differently depending on where in the world the user is located. For users outside China it apparently looks and acts like an English language studying app.
“In addition to its abuse of enterprise certificates, this riskware used some new and novel approaches to install apps on non-jailbroken devices. It re-implemented a tiny version of Apple’s iTunes client for Windows to login, purchase and download apps,” explained Palo Alto security researcher, Claud Xiao.
“It also implemented some functionalities of Apple’s Xcode IDE to automatically generate free personal development certificates from Apple’s server to sign apps in the iOS devices – which means the attacker has analyzed Apple’s proprietary protocols and abused the new developer program introduced eight months ago. ZergHelper also shares some valid Apple IDs with users so that they don’t need to use their own IDs.”
In total, the security vendor found over 50 versions of ZergHelper signed by nine different enterprise certificates.