Incredible news from security researchers Palo Alto Networks, who found an app within the legitimate iOS App Store offering pirated apps for download and installation.
Don’t bother looking for it, though. It’s long gone.
The genius lies in the way the app worked. For users in the US it presented itself as an English learning app, while if the app detected the user was in China it showed the pirate app store interface. Of course, Apple’s App Store testers are likely to be in the US or Europe, so never saw this and considered it to be innocent.
Says Palo Alto Networks researcher Claud Xiao:
The app we identified is named “开心日常英语 (Happy Daily English),” and it has since been removed by Apple from the App Store. This app was a complex, fully functional third party App Store client for iOS users in mainland China. We also discovered enterprise signed versions of this application elsewhere in the wild. We had not identified any malicious functionality in this app, and as such we classified it as Riskware and have named it ZergHelper…
ZergHelper appears to have gotten by Apple’s app review process by performing different behaviors for users from different physical locations on earth. For users outside of China, it would act as what it claimed: an English studying app. However, when accessing the app from China, its real features would appear….
The app was made available in the App Store on October 30, 2015. However, nobody appeared to have noticed ZergHelper’s hidden functionality until February 19, 2016, when a user created a post in V2EX (a Chinese developer forum) to discuss it. We shared our findings with Apple on February 19, and Apple removed the app from the App Store later that day.
- Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review – at Palo Alto Network Research Center blog