The famous Chinese-only third-party iOS app store Haima has infected over 75 million devices with adware by repackaging popular apps.
Haima Relies on Rogue Tactics
The Haima iOS app store caters only to Chinese users. The way it works is by sideloading – the installation of applications from locations other than the official iOS store. This is supported by the enterprise segment where companies often develop their software solutions for their employees.
The applications that are available on Haima are repackaged versions of the popular legitimate software. The only difference is that they are bundled with adware. Aggressive marketing and spam tactics have been uncovered that lure the users into installing applications from the unofficial store.
The actual installation steps are not very easy to follow, and the Haima series use enterprise certificates that are switched every three days. This is to prevent permanent abuse spams from Apple’s side.
Security researchers note that these certificates are often stolen from businesses and sold via the underground hacker networks. Specialists have identified that one such certificate costs around 300 US Dollars.
Researchers from Trend Micro analyzed the distributed applications and concluded that all of them contain custom dynamic code. This code is responsible for displaying ads from networks such as Inmobi, Mobvista, Adsailer, Chance, DianRu and Baidu.
Some applications like Pokemon Go contain additional custom code that injects GPS data. This allows the application to run in non-supported countries and regions. According to the gathered statistics over 75 million iOS users in total have installed applications from the Haima store. And over 68 million of those have installed the repackaged adware version of Minecraft.
Security experts note that the store contains to rise in popularity despite Apple’s countermeasures in iOS9. The security warnings are easily disabled by the user’s thanks to the effective spam campaigns that coerce them into using apps from Haima.