How a Third-Party App Store Serves Adware

For bogus applications to be profitable, they should be able to entice users into installing them. Scammers do so by riding on the popularity of existing applications, embedding them with unwanted content—even malicious payloads—and masquerading them as legitimate. These repackaged apps are peddled to unsuspecting users, mostly through third-party app stores. Haima exactly does that, and more. We discovered this China-based third-party iOS app store aggressively promoting their repackaged apps in social network channels—YouTube, Facebook, Google+, and Twitter—banking on the popularity of games and apps such as Minecraft, Terraria, and Instagram to lure users into downloading them. Third-party app stores such as Haima rely on the trust misplaced not only by the users but also by distribution platforms such as Apple’s, whose Developer Enterprise Program is abused to deploy these repackaged apps. These marketplaces also appeal to the malefactors because they are typically less policed. Haima capitalizes on the monetization of ads that it unscrupulously pushes to its repackaged apps. Apple and Haima: A Cat and Mouse Game Apple’s strict control of its iOS ecosystem mitigates the proliferation of these apps. Haima tries to circumvent this by misusing Apple’s Developer Enterprise Program. By pretending to be an enterprise, this third-party app marketplace can distribute apps without having to be vetted through Apple’s lengthy certification process. Conversely, iOS 9 has updated the way custom, third-party apps are ‘trusted’ and installed, which includes a tiered verification process that require specific user actions. Fraudulently obtained enterprise certificates are also duly revoked by Apple, which prevents the repackaged apps from running. Consequently, Haima and other marketplaces peddling similarly repackaged apps have to frequently change its enterprise certificate in order to keep their fake apps functioning. In Haima’s case, it has already used more than five different certificates in a short span of 15 days. It doesn’t hurt their bottom line either— the income generated from Haima’s business model of distributing adware-carrying apps can more than offset the $299 price tag of an iOS enterprise certificate.

Figure 1: In a span of two weeks, Haima already used five different enterprise certificates to distribute its repackaged apps.

How the Repackaged Apps Serve Adware Two modified versions of the Pokemon Go app we found on Haima have already racked up more than one million downloads. The first version initially contained a payload that injected fake GPS/location data, which is used to bypass Pokemon Go’s geographical restrictions. A second version soon appeared containing a dynamic library (ad dylib) that consumes the users’ mobile data (if connected to cellular network) and exposes personal information through adware. The first version has also been updated, which now also carries the same adware-laden dynamic library. Other apps in the Haima marketplace have also been found to contain the same dynamic library:

Label / App Name	Version (Repackaged)	Downloads (million)	App Store Version
Minecraft PE	0.15.0.3	> 68.87	0.15.0.0
Terraria	1.2.11971	> 6.07	1.2.12715
Instagram	28404075	> 0.33	8.3
LINE	5	> 0.33	6.4.0
AVPlayer Pro	1.3.3	> 0.20	2.81
Facebook	23973043	> 0.15	58.0
Twitter	6.48	> 0.05	6.58
Uber	2.133.2	> 0.16	2.140.1
QQ	6.3.5.437	> 45.94	6.3.5
Wifi Password for iOS 7	1	> 0.97	1.1

We also found a similar repackaged Pokemon Go app in HiStore, a third-party app marketplace hosted in Vietnam with an English user interface. To date, the app has over 10 million downloads. HiStore also has repackaged versions of Minecraft, Facebook, Twitter, and other popular apps.

Figure 2: Modules embedded on the dynamic library, which are used by the app to display ads to the user

The repackaged apps on the Haima app market are embedded with dynamic libraries (dylib) that integrate modules from ad providers such as Inmobi, Mobvista, Adsailer, Chance, DianRu and Baidu. These ad providers are controlled by a JSON file with data retrieved from this URL: hxxp://spa[.]hadobi[.]com/app. An embedded dylib in Haima’s repackaged Pokemon Go apps has several components that use command-and-control communication to specify the ad provider, the type of ads to be displayed, and the server from where to retrieve and deliver the ad. It also has an identifier used by the ad providers to pay the scammers.

Figure 3: Code snippet of the JSON file requesting for a C&C server

Figure 4: Code snippet indicating the data has been received

Figure 5: Code snippet that selects the advertisements displayed to the user

Once the dynamic library confirms the advertisement to display, the corresponding ad module requests the API URL (e.g. hxxp//mobads[.]baidu[.]com/api) with parameters from advlist (one of the components of the dynamic library). The ad will be pulled from its IP address (i.e. 61[.]155[.]4[.]66).

Figure 6: Code snippet that pushes Baidu ads in a repackaged Pokemon Go app

Figure 7: Ad content retrieved from the ad server in x-protobuf format from a repackaged iTunes app

Profiling Users to Maximize Ad Distribution Analysis of these repackaged apps shows that they factor in device and network information, International Mobile Subscriber Identity and International Mobile Station Equipment Identity numbers, as well as jailbroken status to deliver a more targeted ad to the user. The same information, including the device name and IP address, are sent to its C&C server.

Figure 8: Code snippets that upload information to the C&C server

Figure 9: Like heartbeat packets, the dylib frequently and continuously uploads device information (including IP address) to its C&C server.

Playing It Safe Users are recommended to exercise caution when downloading apps from these app marketplaces, and to install apps only from the official App Store. As repackaged apps can also carry malicious content, organizations are recommended to implement security awareness policies to prevent further distribution of these apps, such as blocking unapproved app stores and safeguarding personal devices used in workplaces. To deter scammers from cracking and repackaging their apps, iOS app developers can employ mechanisms such as multi-pass checks, malformed Mach-O binaries, and code obfuscation. Developers can also implement validation of client code signature, which can help keep sensitive information from being leaked. Trend Micro detects these fake, potentially unwanted and malicious apps as IOS_Landmine.A. The SHA1s and package names related to our analysis that we disclosed to Apple can be found in this document.