14 DAY TRIAL // A Chinese third-party iOS app store has infected over 75 million users with adware by repackaging popular apps and redistributing them via its website.
The app store, called Haima, caters the Chinese market only. The service uses a technique called app side-loading to allow users to install apps from outside the official iOS App Store.
Apple supports app side-loading for the enterprise market, where private businesses want their employees to be able to install custom apps not available in the App Store. These apps usually handle sensitive corporate information, and Apple is more than happy to provide the functionality because of its need to be present on the BYOD market.
Haima store relies on stolen digital certificates
Haima operators are using this side-loading process to deliver their apps. The installation process is complicated and relies on custom Apple-issued enterprise certificates.
Users are often tricked into going through this lengthy procedures via aggressive and enticing social media campaigns. On its side, Haima switches around one enterprise certificate every three days. They change certificates on a regular basis because Apple often bans the abused certs.
These certificates are often stolen from legitimate businesses and sold via underground hacking forums. One such certificate costs around $300, a small cost compared to the money Haima store owners are making from their ad-packaged apps.
Re-packaged Minecraft version downloaded by over 68 million users
Trend Micro researchers have analyzed the apps distributed via the store. They say that all contain dynamic code injected into the original app that's responsible for showing the ads, usually from ad networks such as Inmobi, Mobvista, Adsailer, Chance, DianRu and Baidu.
For some apps, like the Pokemon GO clone, this code also injects fake GPS data so users can install and use it from non-supported regions. This shows the entire process is not automated, and that a developer is manually inserting this code into the apps.
According to statistics gathered by Trend Micro, over 75 million iOS users have installed apps from the Haima store. Over 68.87 million of these users have installed a repackaged version of the Minecraft Pocket Edition app.
Another 6+ million installed a tampered version of the Terraria app, while over one million installed the previously mentioned Pokemon GO app.
The store seems to be very successful despite Apple's defensive measures added in iOS9, which has made the process of side-loading apps more time-consuming and full of security warnings. This hasn't deterred users, who plowed through all the warnings, infecting their devices and making millions for Haima's owners.
