Over 75 million iOS devices infected by adware, Securitylab reports, citing a study by Trend Micro. Users have resorted to installing software distributed in Chinese app store Haima. This service uses the technique of downloading any software to bypass the App Store (side-loading), allowing owners of Apple devices to install applications from unofficial sources.
Apple supports side-loading for corporate market in order to provide employees the opportunity to use the prerequisite custom applications that are not in the App Store. Typically, these programs contain corporate information, and Apple will only benefit from side-loading, as in this case the device can be used by employees in the workplace.
Chinese service of Haima uses this opportunity to spread adware. The process of installing applications is based on newly released Apple enterprise certificates. Typically, the scammers offer the user to go through the whole procedure, using social engineering techniques.
In the case of Haima service switches from one corporate certificate to another every three days, as Apple routinely blocks fake certificates. As a rule, criminals buy stolen certificates on underground hacker forums. Their average cost is about $300 – quite a bit, considering how much Haima earns on advertising.
As explained by the experts at Trend Micro, all distributed via Haima applications contain dynamic code that displays advertising, usually from AdMob, Mobvista, Adsailer, Chance, DianRu and Baidu. In some cases (for example, in “clone” Pokemon GO) this code also introduces the fake GPS data, providing users with the ability to play even in unsupported regions. This implies that the process is not automated, and the developers to manually implement code in the application.
According to the researchers, a total of Haima has been downloaded 75 million applications. Over 68,87 million users have uploaded a modified version of Minecraft Pocket Edition, more than 6 million – and 1 million – Pokemon GO.