First reported in 2014, Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers seemed to have opened a window. Haima’s repackaged, adware-laden apps and its native helper application prove that App Store scammers are still at it.
This is in light of the significant amount of malicious and potentially unwanted iOS apps we found signed with enterprise certificates and had the same Bundle IDs as their official versions on the App Store. Delving into them, we found that Haima and other third-party app stores were pulling off their scams by abusing a feature in iOS’s code signing process to achieve data inheritance.Read More