The number of malware programs for iOS has been very low until now primarily because of Apple’s strict control of its ecosystem. Devices that have not been jailbroken—having their security restrictions removed—only allow apps obtained from the official App Store, after they’ve been reviewed and approved by Apple.
There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program.
Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it’s not the most interesting one.
According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced byApple with the release of Xcode 7.0 in September. Xcode is the main tool—or integrated development environment (IDE)—used to develop iOS and Mac OS X apps.
Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. This makes it a lot easier to test apps without enrolling in Apple’s Developer Program, which requires a $99 per year subscription.
To generate personal development certificates, app makers have to use Xcode with theirphone connected to their computer. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out.
“We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode—in effect, successfully cheating Apple’s server,” the Palo Alto Networks researchers said in a blog post.
Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse “in a wide-ranging and automated way,” the researchers said.
In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them. That post has since been deleted, the researchers said.
ZergHelper is also providing free Apple IDs to users and it’s not clear where those IDs are coming from and whether the app steals them from other devices. The app was available in the official app store from the end of October until Saturday, when Appleremoved it after being alerted by Palo Alto Networks.
The company’s researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices.
Its creators appear to have tricked Apple’s reviewers by using simple tricks. The app was submitted to the app store under the name “Happy Daily English” (in Chinese) and was presented as a helper app for learning English.
Once installed on a phone, the app behaved as advertised if the user’s IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. This is similar to the process that a device goes through when it’s enrolled into a mobile device management system.
Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free.
“We don’t know where the App Store reviewers are located,” the Palo Alto Networks researchers said. “If they are not located in mainland China, this method could trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior.”
The app also used another increasingly popular technique that allows developers to dynamically change their apps’ code without submitting a new version to the official app store for review. This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods.
While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates.
“This is of concern because the abuse of these certificates may be the first step toward future attacks,” the Palo Alto Networks researchers said.