Bootlegger tool posed as English language guide
A dodgy application that evaded Apple’s hardline code reviewers and made it into Cupertino’s official App Store has been turfed out.
The program – which featured a hidden smugglers’ cove of software – was ejected after it was fingered by third-party security researchers.
The team at Palo Alto Networks explained over the weekend that although the Happy Daily English app posed as an English studying tool to users outside China, it actually offered a secret store of pirated and cracked iOS apps and games to users within China.
Apple’s official iOS App Store is well known for its strict code review process.
This mandatory policy for app acceptance into Apple’s walled garden has become an important mechanism in protecting the privacy and security of iOS users.
Circumventing this policy therefore shakes the foundation of the whole App Store ecosystem.
No malicious behaviors in Happy Daily English have been noted, however some of the techniques used to get around Apple’s review are novel and have the potential for abuse.
Happy Daily English (classified by Palo Alto as ZergHelper) allowed people to purchase and download apps.
The covert bazaar asks the user to hand over their Apple ID logins, although it also offers some valid Apple IDs for people to scrounge off.
It will then log in to an Apple server using these IDs to perform various operations in the background.
Exactly what it’s doing isn’t immediately clear.
“ZergHelper’s code is complex and it’s still unclear whether it would steal account information and send it back to the server or not,” Palo Alto researchers admit.
We’re told Happy Daily English exploits enterprise certificates and personal developer certificates to sign and install apps on people’s iOS devices – apps that may include code that hasn’t been reviewed, Palo Alto warns.
Palo Alto Networks’ Unit 42 research arm discovered enterprise signed versions of this application in the wild.
The app was developed by a company in China that named its main product “XY Helper.” ZergHelper was the non-jailbroken and “official App Store” version of this product.
Researchers reported the risky app to Apple and, following a review, Apple removed it from the App Store over the weekend.
The app was released onto the App Store on 30 October, 2015.
But nobody seems to have noticed its hidden functionality until 19 February – a span of more than three and a half months. ®
Sponsored: Building secure multi-factor authentication