Friday, 30. September 2016

Helper for Haima iOS App Store Adds More Malicious Behavior

In an earlier blog post, we talked about the Haima app store on iOS. Here, we found that official apps were repacked and advertising modules added to generate revenue for the owners.

One reason for this store’s popularity is its relative ease of use, thanks to the “Haima iOS Helper”. This app is meant to complement the rest of the store by making it easier to install apps and manage the user’s device. This can be considered analogous to the roles that iTunes performs for most iOS users.

Unfortunately, this particular helper app brings its own share of malicious code to the table. We detect this as TSPY_LANDMIN.A.

First up: legitimate iTunes version

This helper is offered as a download from the Haima website. It prompts the user to download a specific version of iTunes ( directly from Haima. This file is identical to the official version from Apple, although it is no longer the newest version of iTunes.

Figure 1. iTunes download prompt

Figure 2. Download from Haima server

The helper doesn’t use iTunes directly; its only goal here is to install the iPhone drivers that come with this particular version of iTunes.

Adding the patch package

Once iTunes has been installed, a patch package is then downloaded from the Haima servers:

Figure 3. Download of patch package

Figure 4. Patch package contents

The contents of the package are unzipped into the Haima directory.

Figure 5. Patch package in Haima directory

The files in this patch actually come from Apple. Haima analysed the iTunes protocol based on version of iTunes, so the helper relies on DLLs from this particular version. Even if iTunes is upgraded later, it can still install apps or sync data to and from iOS devices.

Figure 6. DLL version

How to install apps

Haima offers two ways to install apps. On iOS, all apps that are installed need to be signed, so Haima uses two methods: one involves using enterprise provisioning certificates, while the other involves apps provided by Apple via the App Store. The image below shows the helper app, which functions more or less as an app store as well:

Figure 7. Haima helper app

The helper app has all the features expected of an app store – categories, must-have lists, recommended apps, etcetera. Some of these apps are the same as those on the original iOS App Store, and those have been flagged by us in the above screenshot.

The helper can directly install apps signed with an enterprise certificate, and it can also install apps from Apple via the App Store. We will discuss the use of enterprise certificates later on in this post. How does it do the latter? It connects back to Haima and “acquires” an Apple ID:

Figure 8. Request for Apple ID

The above screen shows the user that Haima requires an Apple ID, and to click the button to get one and enjoy a better experience.

Figure 9. Getting an Apple ID

The above window states that a verification process is ongoing, including a check of the security environment,

Figure 10. Successful Acquisition of Apple ID

The above window appears when an Apple ID has been successfully acquired. The user doesn’t even know the password of this particular Apple ID account, but the helper app can install any iOS app onto the user’s iPhone using this Apple ID.

Figure 11. Installation of app with Apple ID

If the user already installed an app via the App Store, the helper will ask the user to remove this version first. The helper will update the enterprise certificate on the device, and then (re)install the app on the phone.

Figure 12. Request to uninstall app

Figure 13. Update for enterprise certificate

Dynamic App Signing To Bypass Apple Revocation

As we mentioned earlier, the helper app can also use enterprise certificates to install apps onto devices. Apple is well aware of how enterprise provisioning and certificates can be abused, and they are constantly revoking any such certificates which have been abused. Haima replaces the enterprise certificates they use every few days. In addition to that, they also use dynamic app signing to reduce the exposure of the enterprise certificates.

Before the helper app installs the enterprise certificate app onto the phone, it is signed with a new (and valid) enterprise certificate. This is to prevent Apple from revoking the original enterprise certificate.

Figure 14. Downloaded Original Enterprise Certificate App and New Provisioning Profile

Figure 15. Original and New Enterprise Certificate Mach-O Files

Figure 16. From Original Certificate to New

Leaking the user’s Apple ID

There’s a third way to install apps. If you don’t want to use the Haima-provided Apple ID, you can use yours – you just need to enter your own Apple ID and password.

Figure 17. Login screen asking for Apple ID

Unfortunately, this not a good idea. Why? Because the helper app steals the user’s own username and password.

Figure 18. Code leaking Apple ID

Photos Synced to PC

By default, the photos on an iPhone are not synced to the PC. The helper app, however, automatically syncs the user’s photos to the user’s computer:

Figure 19. Synced pictures

Malicious Codes in Helper App

The helper app also contains malicious code for various information-stealing function calls. However, these are either non-functional or not called.

Figure 20. Malicious code


The Haima helper app is a key part of making this third-party store more usable for its users. By managing both enterprise certificates and Apple App Store logins, it makes the user experience much more seamless.

However, it also introduces serious security risks. The apparent theft of the user’s Apple ID credentials is a serious risk in and of itself. The apparent inclusion of malicious functions in the code itself is also worrying. We recommend not using third-party app stores as they pose a security risk in general, and this case shows why we recommend that.

We detect the following files as TSPY_LANDMIN.A:

SHA1 hash File name 1fd7073ffd23e6b57be7418be24b78cd3694fe2f IPhoneHelperDll.dll 8d13df388e1dae9d0100967190d4d4b32bd25b8f 00_4.3.7.exe ec58ec2ecc019d5c927acfa7520550c35d1b480c Haima.exe Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Helper for Haima iOS App Store Adds More Malicious Behavior