The Apple iOS environment is riddled with malicious fake apps, signed with enterprise certificates and had the same Bundle IDs as their official versions on the App Store. Repackaged versions of Pokemon Go, Facebook, and several other gaming apps are just some of the affected titles.
Although iOS 10 has pulled the plug on App Store/legitimate apps updating and overriding their copycats, fake apps still affect devices running on iOS 9.3.5 or earlier. They can still be re-signed, installed and run on iOS devices as long as they tote the same Bundle IDs, according to Trend Micro, and have a valid certificate.
First reported in 2014, a similar technique called the Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers simply opened a window. Haima and other third-party app stores are abusing a feature in iOS’s code signing process to achieve the same effect.
“More than just creating fake versions, the vulnerabilities pose serious risks in that bad guys can target legitimate apps to distribute their malware,” Trend Micro researchers explained in a blog. “Scammers only need to create malicious content bearing the same Bundle ID as the genuine app’s, then ride on its popularity to entice users into installing their malware. Homegrown apps used by enterprises can also be spoofed, re-signed and repackaged via the same Bundle ID.”
The repercussions to legitimate apps also vary, depending on how their data controls app behavior or how their functionalities are implemented. Crooks can route the legitimate app to a malicious service to phish for personally identifiable information, or even directly steal the user’s online bank accounts. They can also modify an app’s function, such as replacing URLs opened by the app to download malware (which is run after users ‘trust’ the certificate). The legitimate app’s advertisement ID can also be modified so the revenue generated from its monetized ads is sent to the scammers instead.
Scammers need only prepare a relatively modest toolkit to re-sign the app, Trend Micro researchers added.
“App developers who incorporate functions such as in-app purchases are advised to follow Apple’s official guidelines, particularly how to validate receipts with the App Store, as well as employ mechanisms that can deter scammers from reverse-engineering the app,” the company recommended. “Businesses that employ/support iOS devices are recommended to balance mobility and productivity with privacy and security-conscious policies, especially when adopting BYOD. Aside from keeping the OS up-to-date, the risks serve as a reminder for end users to beware of downloading apps from dubious third-party marketplaces.”
Photo © chasdesign/Shutterstock.com