Palo Alto Networks research revealed that a pirated iOS app was able to bypass Apple's App Store security review....
How did this pirated app fool the security review? And what concerns, if any, should this give enterprises about the validity of app store approvals?
The objective of Apple's App Review is to keep its iOS, Mac and tvOS app stores free from apps that are malicious, defective, dangerous, offensive or that infringe upon any of Apple's App Store Review Guidelines. The reviews play an important role in safeguarding the privacy and security of iOS users. Every app and every update has to go through the review process, and it has been mostly successful at keeping malicious apps out of Apple's App Stores. There have been cases, though, where a developer has managed to slip inappropriate code through the code review. Find and Call was the first truly malicious app to pass through Apple's approval process back in 2012, while XcodeGhost and InstaAgent are two more recent examples.
Malware writers are always looking for new evasion techniques to prevent their code from being detected by antivirus software and code reviews, or from being analyzed when run in a sandbox environment. Sandbox and human activity recognition, as well as delayed execution, are just some of the tactics used to hide a malware's true functionality, allowing it to pass inspection. Researchers at Palo Alto Networks recently discovered an iOS app called Happy Daily English that fooled the Apple review process by using an ingenious method to hide its real purpose from reviewers.
The authors of Happy Daily English used geolocation to hide the true nature of their pirated app. Yes, it performs differently for users in different physical locations on earth. When users outside of China install what Palo Alto Networks have dubbed ZergHelper, it acts as an English language study app. However, when accessed from China, its malicious features appear, which include directly installing free, and, most likely, pirated versions of legitimate apps and games. If the App Store reviewers weren't located in mainland China, they would only have seen the legitimate app.
As there is no explicit malicious functionality in this pirated app, Palo Alto Networks only classified it as riskware, but it still introduces potential security risks to iOS device users. It abuses enterprise and personal certificates to sign and distribute apps, and the security of the apps it installs can't be ensured. It may also have the ability, now or in the future, to harvest account information; its use of the programming language Lua could be an attempt by the author to extend its capabilities via dynamic code loading. This is a legitimate technique misused by malware to download additional and malicious code from the internet to circumvent offline analysis, and, in this case, bypass Apple's mandated review of any updates. Overall, its code is very complex and incorporates questionable techniques that could be used by other malware to attack the iOS ecosystem.
Learn how to avoid malicious mobile applications
Read how app development companies fight against piracy
Find out how to develop an enterprise app store
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.