ZergHelper is also providing free Apple IDs to users and it's not clear where those IDs are coming from and whether the app steals them from other devices. The app was available in the official app store from the end of October until Saturday, when Apple removed it after being alerted by Palo Alto Networks.
The company's researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices.
Its creators appear to have tricked Apple's reviewers by using simple tricks. The app was submitted to the app store under the name "Happy Daily English" (in Chinese) and was presented as a helper app for learning English.
Once installed on a phone, the app behaved as advertised if the user's IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. This is similar to the process that a device goes through when it's enrolled into a mobile device management system.
Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free.
"We don’t know where the App Store reviewers are located," the Palo Alto Networks researchers said. "If they are not located in mainland China, this method could trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior."
The app also used another increasingly popular technique that allows developers to dynamically change their apps' code without submitting a new version to the official app store for review. This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods.
While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates.
"This is of concern because the abuse of these certificates may be the first step toward future attacks," the Palo Alto Networks researchers said.
Sign up for CIO Asia eNewsletters.