Skip to content

S0287 ZergHelper

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple’s App Store review process. No malicious functionality was identified in the app, but it presents security risks. 1

Item Value
ID S0287
Associated Names
Version 1.1
Created 25 October 2017
Last Modified 11 December 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1475 Deliver Malicious App via Authorized App Store ZergHelper apparently evaded Apple’s app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.1
mobile T1476 Deliver Malicious App via Other Means ZergHelper abuses enterprises certificate and personal certificates to sign and distribute apps.1
mobile T1407 Download New Code at Runtime ZergHelper attempts to extend its capabilities via dynamic updating of its code.1


Back to top