Third-Party App Store Slips Inside iOS App Store
24.3.2017 securityweek iOS
A third-party app store application managed to slip into the official iOS App Store by masquerading as a legitimate financial helper application, according to Trend Micro researchers.
Dubbed “Household Accounts App” and claiming to be a financial helper app for families, the application is designed with Japanese characters, but the app store it leads to is written in Mandarin Chinese. The researcher discovered the program in the App Store of multiple countries and couldn’t determine exactly who it targets.
When launched for the first time, the application checks the PPAASSWOpenKey key in the system’s user preference plist, which allows it to determine if it has run before, because the key doesn’t exist if it hasn’t, the researchers explain. Next, the app switches to the else branch, which requests the right to use data to access the third-party store, but the user has to approve the request.
The third-party store can be used to install not only applications in the official iOS App Store, but also those that are distributed via unofficial channels, thus potentially exposing users to mobile malware and other unwanted applications. One of the programs distributed via this portal is “PG Client,” a tool for jailbreaking iOS devices.
In addition to this third-party store, the security researchers found a program designed to promote applications already in the App Store. Dubbed “LoveApp”, the software could bypass Apple’s arrangement of apps in searches and the paid Search Ads option and could create revenue by charging developers looking to promote apps without using Apple’s promotion service.
LoveApp was found to abuse iOS APIs that allow developers to display their app’s page, but did that to direct users from its own listing to the App Store listing of the promoted apps. This app also has a series of privacy issues, because the app was found to upload some user attributes to its servers at installation, including advertising identifier (idfa), which is used to count the number of downloads.
The app also uses a third-party SDK called TalkingData to gather information about the user’s behavior. The SDK has many aggressive API calls and can acquire various information about the user’s system, such as the Wi-Fi network name, running processes, and IP address. On jailbroken devices, it can also gather the user’s Apple ID and installed apps.
“We recommend that users be careful about downloading apps from third-party app stores. Apple can’t endorse the safety of any of the apps delivered via third-party stores, and such is the case here: users are still exposing themselves to various security threats (including malware and other unwanted apps). Organizations should put in place policies to reduce the risk from these malicious apps, such as blocking unapproved app stores and safeguarding personal devices,” Trend Micro notes.