Apple finds App store within an app on Chinese App Store

Apple moves to shut down dodgy app on Chinese App Store that could have installed pirate and jailbroken apps.

Jekyll and Hyde: Happy Daily English outside China, malware dispensing App Store clone inside China
Jekyll and Hyde: Happy Daily English outside China, malware dispensing App Store clone inside China

Apple has removed an app on its Chinese App Store after it was found to be hosting another App Store that could allow users to install pirate and jailbroken apps.

Dubbed Happy Daily English, the app was unearthed by security researchers at Palo Alto Networks. The developers of this app, a Chinese company named XY Helper, managed to avoid detection by Apple's App Store reviewers by creating an app that would exhibit different behaviours depending on the user's geographical location.

As far as people outside China were concerned, the app would show an interface to help Chinese people learn English. But when in China, the app would display a fully-functional App Store offering jailbroken or pirated apps.

It was this mechanism that is thought hoodwinked iOS App Store reviewers into approving the app as all they would see was an educational app. No one noticed the true nature of the app until late last week, when a user on a Chinese forum raised the issue.

In a blog post, Claud Xiao, security researcher at Palo Alto Networks, said the app, dubbed ZergHelper, followed the rules of the App Store review process in order to avoid detection.

“ZergHelper's main functionality appeared to be to provide another App Store that includes pirated and cracked iOS apps and games. The app was developed by a company in China that named its main product ‘XY Helper'. ZergHelper was the non-jailbroken and ‘official App Store' version of this product,” said Xiao.

The app also abuses enterprise certificates and re-implemented a tiny version of Apple's iTunes client for Windows to login, purchase and download apps. As well as this, it also implemented some functionalities of Apple's Xcode IDE to automatically generate free personal development certificates from Apple's server to sign apps in the iOS devices.

Xiao said that means “the attacker has analysed Apple's proprietary protocols and abused the new developer programme introduced eight months ago. ZergHelper also shares some valid Apple IDs with users so that they don't need to use their own IDs.”

Once Palo Alto notified Apple about the rogue app, this app was withdrawn from sale. However, the app had been available from October last year.

“ZergHelper's code is complex and it's still unclear whether it would steal account information and send it back to the server or not,” said Xiao. “We also identified over 50 ZergHelper apps that are signed by enterprise certificates. These apps were spread by authors in different channels.”

Matt Hampton, chief technology officer at Imerja, told SCMagazineUK.com that it would be difficult for Apple to police apps that  behave differently dependent on location, and for some this is a fundamental requirement of the app. “However, this appears to be the first app that takes it to the level described,” he said.

Hampton added that users are accustomed to desktop applications that have a small downloader, such as Chrome or Adobe products, which then pull down the larger components – it appears that this app did a similar thing. “For this to work, a user would have had to grant the app permissions to allow it to make the changes. This highlights the issue of users blindly accepting the change in permissions to enable someone else to alter trusted applications,” he said.

James Maude, senior security engineer at Avecto, told SC that this was a new and potentially dangerous twist in iOS security. Previously, users largely relied on jailbroken devices, often running out of date versions of iOS, that could be exploited to run non-App Store apps.

“Apple has worked hard to prevent users from jailbreaking devices and will be very keen to not only plug this hole but prevent it from happening again. The App Store acts as one of the primary security boundaries for Apple devices so bypassing it in this way opens the door for new malware threats,” he said.

Maude added that while the odds of this particular app appearing on the App Store in Europe are slim, we can expect a flurry of copycat apps attempting to circumvent Apple's protections. “How many of these will make it through Apple's rigorous screening process remains to be seen,” he said.