A group of hackers originating from China took advantage of application testing certifications, released by Apple for free, to install illegitimate apps using a sideloading technique.
The Chinese app found on Apple App Store has been used to install pirated apps on iOS devices that have not even been jailbroken, according to researchers from Palo Alto Networks. Normally, illegitimate apps are downloaded and lodged in jailbroken devices (or “rooted” in the case of Android handsets).
The new iOS feature that was abused by the Chinese developers allowed them to get code-signing certificates at no cost in order to deploy and test mobile apps. Because all of the devices built by Apple are inherently secure according to the company, there is a scarcity of anti-malware tools for the iOS ecosystem.
Apple boasts of its secure platform, except for iOS devices that have been jailbroken. For iPhone models that have not been jailbroken at all, apps that do not come from its trusted app store such as the Apple App Store are not welcome for security reasons. But the apps that get past the security barrier will need to be vetted first by Apple’s security team.
The code- signing certificates, on the other hand, are alternative tools for developers to distribute apps to iPhones and iPads without having to publish them on the Apple App Store. These certificates were abused by the Chinese developers to install malicious apps on non-jailbroken Apple devices.
However, a similar method was employed in the past to lodge malware on iOS handsets. The latest Chinese app found on Apple App Store bears the name ZergHelper or XY Helper. The malicious mobile app was also used to manipulate the newly launched personal development certificates that also work as code-signing certificate. The personal development certificates were unveiled alongside Xcode 7.
Developers are sometimes forced to use the Xcode 7 to test their apps by running them on their devices without publishing them yet on the Apple App Store. And that is free, whereas the enrolment process in Apple’s Developer Program will cost them a $99 per year.
Mobile app developers will need to run the Xcode on their mobile device tethered to a computer in order to generate the personal development certificates. Developers of the ZergHelper app appeared to have cracked the secret method for obtaining the certificates from Apple.
It is important to note that the ZergHelper app is by no means a malware, but the method used here could enable future attacks on iOS devices.