Another pirated app service uses Apple enterprise license to distribute stolen software

Posted:
in iPhone edited December 2015
Word of a fairly well known pirated app service called vShare hit mainstream media outlets on Wednesday as part of a CNNMoney feature, which said the nefarious firm leverages Apple's own enterprise tools to distribute free versions of top paid iOS titles without requiring a jailbreak.




Thought to be run by Chinese owners located in Shanghai, the vShare App Market has officially been in operation since 2011 and is recognized in some jailbreaking circles as a go-to source for free apps. The service recently gained notoriety for compatibility with non-jailbroken iPhones and iPads running iOS 8 and above.

Like other recent pirated app services, vShare is built on Apple's enterprise licensing technology. Designed for corporations or other entities with large iOS device deployments, Apple Developer Enterprise certificates allow license holders to provision their own apps for internal distribution and download.

In the case of vShare, the service used purchased certificates to create a trusted app, available for download via the Web, that acts as a its own illegitimate app store. Security researchers at Proofpoint told CNNMoney that vShare obtained four Apple Developer Enterprise certificates to accomplish the task. Proofpoint has informed Apple of its findings.

As of this writing, attempts to install the vShare app on devices running iOS 8 or iOS 9 proved unsuccessful, suggesting Apple has revoked one or all of vShare's provisioned certificates.

vShare's impact on legitimate app sales is unknown, but today's report notes popular titles like Minecraft: Pocket Edition and Geometry Dash have been "liked" by more than 1.4 million downloaders.

Interestingly, vShare's terms of use includes a disclaimer regarding intellectual property rights, which notes the service will remove any app found to be in infringement of owned properties if provided with appropriate documentation. The terms also state, however, that vShare "assumes no responsibility for monitoring the Service."
«1

Comments

  • Reply 1 of 25
    Glad to see its been blocked. Disgusting thieves. 
  • Reply 2 of 25
    This is such a ridiculous method to try and distribute Apps. Apple can revoke enterprise certificates immediately upon discovering them effectively shutting down the service.

    How would a site get word out to potential customers to download Apps without word getting back to Apple about a certificate being abused?
  • Reply 3 of 25
    This is such a ridiculous method to try and distribute Apps. Apple can revoke enterprise certificates immediately upon discovering them effectively shutting down the service.

    How would a site get word out to potential customers to download Apps without word getting back to Apple about a certificate being abused?
    It apparently is far more successful for Android and Windows apps. If the site is more familiar to the Asian users, there seems to be no awareness of the dangers of malware with "free" software in those cultures.
  • Reply 4 of 25
    croprcropr Posts: 753member
    One should never use a different app store, it can only lead to trouble, malware and other security issues. I don't understand that people want to go that way.  Even on Android where a single app store is not enforced, it is a bad idea to use an alternative app store.
    lostkiwichia
  • Reply 5 of 25
    This is such a ridiculous method to try and distribute Apps. Apple can revoke enterprise certificates immediately upon discovering them effectively shutting down the service.

    How would a site get word out to potential customers to download Apps without word getting back to Apple about a certificate being abused?
    It apparently is far more successful for Android and Windows apps. If the site is more familiar to the Asian users, there seems to be no awareness of the dangers of malware with "free" software in those cultures.

    True about third party stores.

    But I don't believe anyone is actually using enterprise certificates to distribute malware. I think they are all just proof of concepts drummed up to make it appear Apple has a malware problem.

    You have to register as an enterprise developer with Apple and this costs $299 per year. And you don't just sign up with a credit card and get approved. You have to verify you're an actual company (legal entity).

    As soon as Apple discovers a certificate is being abused they revoke it (as evidenced by this article where it didn't work when they tried it). I'm not sure what Apple does internally, but you can bet they don't just revoke it and let it go. The company and/or people and/or IP addresses involved are probably blacklisted so they can't come back and get another certificate later on.

    In short, this is nothing more than scare mongering/Apple bashing. There's little to no chance you'll ever come across a working enterprise certificate in the wild.
    edited December 2015 applepieguy
  • Reply 6 of 25
    gatorguygatorguy Posts: 18,462member
    Apple bashing? How so? So there's ways to sideload unofficial iOS apps to your non-jailbroken iPhone. Big deal, it's not a huge surprise. It doesn't make Apple look bad IMHO since they certainly don't condone it. 

    Here's one site still active FWIW
    https://isigncloud.com/
    edited December 2015
  • Reply 7 of 25
    Wow, what's with the "your post will appear after it has been approved" messages I'm seeing?
    mac_dog
  • Reply 8 of 25
    patsupatsu Posts: 415member
    It apparently is far more successful for Android and Windows apps. If the site is more familiar to the Asian users, there seems to be no awareness of the dangers of malware with "free" software in those cultures.

    True about third party stores.

    But I don't believe anyone is actually using enterprise certificates to distribute malware. I think they are all just proof of concepts drummed up to make it appear Apple has a malware problem.

    You have to register as an enterprise developer with Apple and this costs $299 per year. And you don't just sign up with a credit card and get approved. You have to verify you're an actual company (legal entity).

    As soon as Apple discovers a certificate is being abused they revoke it (as evidenced by this article where it didn't work when they tried it). I'm not sure what Apple does internally, but you can bet they don't just revoke it and let it go. The company and/or people and/or IP addresses involved are probably blacklisted so they can't come back and get another certificate later on.

    In short, this is nothing more than scare mongering/Apple bashing. There's little to no chance you'll ever come across a working enterprise certificate in the wild.

    Yes, malware and side loading are mainstream on Android. That's why they are seldom newsworthy unless the exploit is egregious, like the MMS one earlier. Or the exploit is persistent, able to survive even an OS reformat and reinstall.

    For enterprise app loading, it is an official mechanism for companies to manage their apps. So you'll need to register your device with the company first.
    A company can't just push their apps on you. You have to voluntarily yield your device control to that company by registering your device with them first.

    Because of this, and the ease of revoking enterprise certs, such channel is not so effective. The user has to reregister their devices every time the cert got revoked. Most apps are free anyway, so there's little incentive to risk this.

    There is another interesting mechanism to side load an iOS app. That's using Xcode, and only works on your personal registered device. Presumably you can load a game emulator this way if it's open source. But its main purpose is for prototyping and learning. IMHO, they should tie this mechanism with the recent Swift open source effort. Extend it to handle open source Swift apps, the added control and benefits will be even greater.

  • Reply 9 of 25
    patsupatsu Posts: 415member
    gatorguy,

    It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.

    Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
    applepieguy
  • Reply 10 of 25
    gatorguygatorguy Posts: 18,462member
    patsu said:
    gatorguy,

    It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.

    Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
    Personally I think the whole Android malware spiel is way overblown. Actual harmful stuff for the user is nearly non-existent. "Malware" consists of apps serving up ads or collecting data they don't disclose. FWIW many iOS apps have been found to do the same, even some of the most popular.
  • Reply 11 of 25
    patsupatsu Posts: 415member
    gatorguy said:
    patsu said:
    gatorguy,

    It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.

    Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
    Personally I think the whole Android malware spiel is way overblown. Actual harmful stuff for the user is nearly non-existent. "Malware" consists of apps serving up ads or collecting data they don't disclose. FWIW many iOS apps have been found to do the same, even some of the most popular.

    I don't think you are telling the full story. We know for example in China, activists are actively being targeted by the government. The China government certainly don't just sell ads to the activists. 

    Once the devices are rooted, no one can guarantee what the attackers will do. They can in fact take over the entire Android device. They will just milk the victims over and over. We already know for sure it's not just selling ads like Google. There are also ransomware, stealing passwords, corporate espionage, etc. 

    Undisclosed info collection is a problem after the user allows the app to access personal info. Not before. The violators will need to answer to Apple, a single entity in charge of the ecosystem. There is no 'somebody else's problem'.
  • Reply 12 of 25
    gatorguy said:
    Apple bashing? How so? So there's ways to sideload unofficial iOS apps to your non-jailbroken iPhone. Big deal, it's not a huge surprise. It doesn't make Apple look bad IMHO since they certainly don't condone it. 

    Here's one site still active FWIW
    https://isigncloud.com/

    That one is behind a paywall, and I'm not going to waste money (or risk handing out my credentials) just to find out it doesn't work.

    I've tried numerous times to visit a malware or App site that uses Apple enterprise certificates and by the time I get there they don't work. The reason I want to try one out is because I want to grab screenshots of all the warning messages iOS 9 gives you to show people how many hoops you have to jump through before you can allow an App to install.

    So perhaps you have some links to actual working sites that don't require me to pay money up front? Or perhaps you have proof that the site you listed ACTUALLY works?
    applepieguy
  • Reply 13 of 25
    patsupatsu Posts: 415member
    gatorguy said:
    Apple bashing? How so? So there's ways to sideload unofficial iOS apps to your non-jailbroken iPhone. Big deal, it's not a huge surprise. It doesn't make Apple look bad IMHO since they certainly don't condone it. 

    Here's one site still active FWIW
    https://isigncloud.com/

    It is Apple bashing. To this date I've never been able to ever go to a site that had malware using an Apple enterprise certificate and have it work (and I tried numerous times because I wanted to take screenshots of all the warning messages iOS 9 gives you when trying to do this to show people all the hoops you have to jump through).

    The one above has a paywall. I'm not going to waste money only to find out their certificate has been revoked. You have any links to ones that work without having to pay up front? I'd really like to find a working one so I can finish gathering my screenshots.

    The enterprise certs have probably been revoked by the time you tried. It is not difficult for Apple or the owning enterprise to do that.

    As for the alleged download count for these resigned apps, they can be faked by the rogue company to hype the store too. It is also trivial for someone outside to drive that count up.

    Realistically, if you want to download unauthorized software, why would you want to leave a trail behind ? You need to register your device on the site. When the site is shutdown by the authority, they will have your device ID. And from the telcos, they can track you down. 

    Pirates will just try to jailbreak their phone and keep their anonymity. Get their software from a more anonymized distribution.

    edited December 2015
  • Reply 14 of 25
    gatorguy said:
    patsu said:
    gatorguy,

    It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.

    Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
    Personally I think the whole Android malware spiel is way overblown. Actual harmful stuff for the user is nearly non-existent. "Malware" consists of apps serving up ads or collecting data they don't disclose. FWIW many iOS apps have been found to do the same, even some of the most popular.
    Is that fracking gut feeling buddy; 1B+ phones with basically NO SECURITY,... But, hey, "It's overblown".. (sic)

     Go google, you're so "good" at it... And god damn get the whole picture this time.

     I'm praying for an ignore list so I can stop seeing your tripe once again
    lostkiwiapplepieguywilliamlondon
  • Reply 15 of 25
    gatorguygatorguy Posts: 18,462member
    foggyhill said:
    gatorguy said:
    patsu said:
    gatorguy,

    It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.

    Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
    Personally I think the whole Android malware spiel is way overblown. Actual harmful stuff for the user is nearly non-existent. "Malware" consists of apps serving up ads or collecting data they don't disclose. FWIW many iOS apps have been found to do the same, even some of the most popular.
    Is that fracking gut feeling buddy; 1B+ phones with basically NO SECURITY,... But, hey, "It's overblown".. (sic)

     Go google, you're so "good" at it... And god damn get the whole picture this time.

     I'm praying for an ignore list so I can stop seeing your tripe once again
    Let me know when those supposed 1B+ phones with allegedly zero security are infiltrated by viruses.  6 years so far and every few months another Android malware scare story. And 6 years later it still hasn't become much of a real-world problem. So yeah, sorry but it's overblown.

    The easiest ignore is just don't read my posts and certainly don't invite me to reply as you just did unless you are waiting to read more. 
    edited December 2015
  • Reply 16 of 25
    patsupatsu Posts: 415member
    Yes, one of the easiest ignore is just to pretend malware are scare stories and not real world problem. It's someone else's losses anyway.
    edited December 2015 applepieguy
  • Reply 17 of 25
    gatorguygatorguy Posts: 18,462member
    patsu said:
    Yes, one of the easiest ignore is just to pretend malware are scare stories and not real world problem. It's someone else's losses anyway.
    No, malware is certainly real. But there's relatively benign malware like an app that collects your contacts for no legitimate reason. Then there's malware that takes over your phone and steals banking info. The first type exists on every mobile platform. The second is exceedingly rare, even on the supposed malware-infested Android.

    I would have thought that some of the more recent Apple malware scare stories and the comments from members here would have made it clear that a proof-of-concept exploit does not automatically make one anything a common user would ever encounter or need to worry about.  Android is little different. A temporary security hole doesn't equal an infection. 

    With that out of the way I also consider Apple's ecosystem more secure. Doesn't mean Android is insecure, just more insecure than iOS. They're both safe as long as users stay with the official stores. 
    edited December 2015
  • Reply 18 of 25
    patsupatsu Posts: 415member
    gatorguy said:
    patsu said:
    Yes, one of the easiest ignore is just to pretend malware are scare stories and not real world problem. It's someone else's losses anyway.
    No, malware is certainly real. But there's relatively benign malware like an app that collects your contacts for no legitimate reason. Then there's malware that takes over your phone and steals banking info. The first type exists on every mobile platform. The second is exceedingly rare, even on the supposed malware-infested Android.

    I would have thought that some of the more recent Apple malware scare stories and the comments from members here would have made it clear that a proof-of-concept exploit does not automatically make one anything a common user would ever encounter or need to worry about.  Android is little different. 

    You are mistaken. Apple malware stories apply to Apple malware. Android malware stories apply to Android malware. They may or may not apply to each other because the platform security mechanisms and philosophies are different.

    No wonder you ignore malware threats on Android. You lumped everything together without thinking.
    So yes, one of the easiest ignore is to just pretend malware are scare stories, not a real problem.

    btw "Benign malware" is an oxymoron. They may appear benign to you. But it is an exploit, and it can evolve.


    edited December 2015 applepieguy
  • Reply 19 of 25
    dasanman69dasanman69 Posts: 12,931member
    foggyhill said:
    gatorguy said:
    Personally I think the whole Android malware spiel is way overblown. Actual harmful stuff for the user is nearly non-existent. "Malware" consists of apps serving up ads or collecting data they don't disclose. FWIW many iOS apps have been found to do the same, even some of the most popular.
    Is that fracking gut feeling buddy; 1B+ phones with basically NO SECURITY,... But, hey, "It's overblown".. (sic)

     Go google, you're so "good" at it... And god damn get the whole picture this time.

     I'm praying for an ignore list so I can stop seeing your tripe once again
    So where are the attacks? If it's true that there's no security where are are the reports of multitudes being infected and hacked? 
  • Reply 20 of 25
    foggyhill said:
    Is that fracking gut feeling buddy; 1B+ phones with basically NO SECURITY,... But, hey, "It's overblown".. (sic)

     Go google, you're so "good" at it... And god damn get the whole picture this time.

     I'm praying for an ignore list so I can stop seeing your tripe once again
    So where are the attacks? If it's true that there's no security where are are the reports of multitudes being infected and hacked? 

    Logical fallacy. Like most viruses and malware, most people don't even know they have an infected device. We don't need to see "reports" or major news stories.

    Take Win XP as an example. There were countless exploits over the years that infected millions. Yet they never made the news.


    Bottom line: iOS is and always will be more secure than Android. This is an absolute that can't be argued against.
    edited December 2015 applepieguy
Sign In or Register to comment.