Figure 1: In a span of two weeks, Haima already used five different enterprise certificates to distribute its repackaged apps.
How the Repackaged Apps Serve Adware Two modified versions of the Pokemon Go app we found on Haima have already racked up more than one million downloads. The first version initially contained a payload that injected fake GPS/location data, which is used to bypass Pokemon Go’s geographical restrictions. A second version soon appeared containing a dynamic library (ad dylib) that consumes the users’ mobile data (if connected to cellular network) and exposes personal information through adware. The first version has also been updated, which now also carries the same adware-laden dynamic library. Other apps in the Haima marketplace have also been found to contain the same dynamic library:Label / App Name | Version (Repackaged) | Downloads (million) | App Store Version |
Minecraft PE | 0.15.0.3 | > 68.87 | 0.15.0.0 |
Terraria | 1.2.11971 | > 6.07 | 1.2.12715 |
28404075 | > 0.33 | 8.3 | |
LINE | 5 | > 0.33 | 6.4.0 |
AVPlayer Pro | 1.3.3 | > 0.20 | 2.81 |
23973043 | > 0.15 | 58.0 | |
6.48 | > 0.05 | 6.58 | |
Uber | 2.133.2 | > 0.16 | 2.140.1 |
6.3.5.437 | > 45.94 | 6.3.5 | |
Wifi Password for iOS 7 | 1 | > 0.97 | 1.1 |
Figure 2: Modules embedded on the dynamic library, which are used by the app to display ads to the user
Figure 3: Code snippet of the JSON file requesting for a C&C server
Figure 4: Code snippet indicating the data has been received
Figure 5: Code snippet that selects the advertisements displayed to the user
Once the dynamic library confirms the advertisement to display, the corresponding ad module requests the API URL (e.g. hxxp//mobads[.]baidu[.]com/api) with parameters from advlist (one of the components of the dynamic library). The ad will be pulled from its IP address (i.e. 61[.]155[.]4[.]66).Figure 6: Code snippet that pushes Baidu ads in a repackaged Pokemon Go app
Figure 7: Ad content retrieved from the ad server in x-protobuf format from a repackaged iTunes app
Profiling Users to Maximize Ad Distribution Analysis of these repackaged apps shows that they factor in device and network information, International Mobile Subscriber Identity and International Mobile Station Equipment Identity numbers, as well as jailbroken status to deliver a more targeted ad to the user. The same information, including the device name and IP address, are sent to its C&C server.Figure 8: Code snippets that upload information to the C&C server
Figure 9: Like heartbeat packets, the dylib frequently and continuously uploads device information (including IP address) to its C&C server.
Playing It Safe Users are recommended to exercise caution when downloading apps from these app marketplaces, and to install apps only from the official App Store. As repackaged apps can also carry malicious content, organizations are recommended to implement security awareness policies to prevent further distribution of these apps, such as blocking unapproved app stores and safeguarding personal devices used in workplaces. To deter scammers from cracking and repackaging their apps, iOS app developers can employ mechanisms such as multi-pass checks, malformed Mach-O binaries, and code obfuscation. Developers can also implement validation of client code signature, which can help keep sensitive information from being leaked. Trend Micro detects these fake, potentially unwanted and malicious apps as IOS_Landmine.A. The SHA1s and package names related to our analysis that we disclosed to Apple can be found in this document.