Helper for Haima iOS App Store Adds Malicious Behavior
We discuss the malicious code we've detected in the “Haima iOS Helper,” which is an app that is meant to complement the rest of the store by making it easier to install apps and manage the user’s device. We detect this as TSPY_LANDMIN.A.
Figure 1. iTunes download prompt
Figure 2. Download from Haima serverThe helper doesn't use iTunes directly; its only goal here is to install the iPhone drivers that come with this particular version of iTunes. Adding the patch package Once iTunes has been installed, a patch package is then downloaded from the Haima servers:
Figure 3. Download of patch package
Figure 4. Patch package contentsThe contents of the package are unzipped into the Haima directory.
Figure 5. Patch package in Haima directoryThe files in this patch actually come from Apple. Haima analysed the iTunes protocol based on version 188.8.131.52 of iTunes, so the helper relies on DLLs from this particular version. Even if iTunes is upgraded later, it can still install apps or sync data to and from iOS devices.
Figure 6. DLL versionHow to install apps Haima offers two ways to install apps. On iOS, all apps that are installed need to be signed, so Haima uses two methods: one involves using enterprise provisioning certificates, while the other involves apps provided by Apple via the App Store. The image below shows the helper app, which functions more or less as an app store as well:
Figure 7. Haima helper appThe helper app has all the features expected of an app store - categories, must-have lists, recommended apps, etcetera. Some of these apps are the same as those on the original iOS App Store, and those have been flagged by us in the above screenshot. The helper can directly install apps signed with an enterprise certificate, and it can also install apps from Apple via the App Store. We will discuss the use of enterprise certificates later on in this post. How does it do the latter? It connects back to Haima and "acquires" an Apple ID:
Figure 8. Request for Apple ID
The above screen shows the user that Haima requires an Apple ID, and to click the button to get one and enjoy a better experience.
Figure 9. Getting an Apple ID
The above window states that a verification process is ongoing, including a check of the security environment,
Figure 10. Successful Acquisition of Apple IDThe above window appears when an Apple ID has been successfully acquired. The user doesn't even know the password of this particular Apple ID account, but the helper app can install any iOS app onto the user's iPhone using this Apple ID.
Figure 11. Installation of app with Apple IDIf the user already installed an app via the App Store, the helper will ask the user to remove this version first. The helper will update the enterprise certificate on the device, and then (re)install the app on the phone.
Figure 12. Request to uninstall app
Figure 13. Update for enterprise certificateDynamic App Signing To Bypass Apple Revocation As we mentioned earlier, the helper app can also use enterprise certificates to install apps onto devices. Apple is well aware of how enterprise provisioning and certificates can be abused, and they are constantly revoking any such certificates which have been abused. Haima replaces the enterprise certificates they use every few days. In addition to that, they also use dynamic app signing to reduce the exposure of the enterprise certificates. Before the helper app installs the enterprise certificate app onto the phone, it is signed with a new (and valid) enterprise certificate. This is to prevent Apple from revoking the original enterprise certificate.
Figure 14. Downloaded Original Enterprise Certificate App and New Provisioning Profile
Figure 15. Original and New Enterprise Certificate Mach-O Files
Figure 16. From Original Certificate to NewLeaking the user's Apple ID There's a third way to install apps. If you don't want to use the Haima-provided Apple ID, you can use yours - you just need to enter your own Apple ID and password.
Figure 17. Login screen asking for Apple IDUnfortunately, this not a good idea. Why? Because the helper app steals the user's own username and password.
Figure 18. Code leaking Apple IDPhotos Synced to PC By default, the photos on an iPhone are not synced to the PC. The helper app, however, automatically syncs the user's photos to the user's computer:
Figure 19. Synced picturesMalicious Codes in Helper App The helper app also contains malicious code for various information-stealing function calls. However, these are either non-functional or not called.
Figure 20. Malicious codeSummary The Haima helper app is a key part of making this third-party store more usable for its users. By managing both enterprise certificates and Apple App Store logins, it makes the user experience much more seamless. However, it also introduces serious security risks. The apparent theft of the user's Apple ID credentials is a serious risk in and of itself. The apparent inclusion of malicious functions in the code itself is also worrying. We recommend not using third-party app stores as they pose a security risk in general, and this case shows why we recommend that. We detect the following files as TSPY_LANDMIN.A:
|SHA1 hash||File name|