S0287 ZergHelper

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple’s App Store review process. No malicious functionality was identified in the app, but it presents security risks. ¹

Item	Value
ID	S0287
Associated Names
Type	MALWARE
Version	1.1
Created	25 October 2017
Last Modified	11 December 2018
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
mobile	T1475	Deliver Malicious App via Authorized App Store	ZergHelper apparently evaded Apple’s app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.¹
mobile	T1476	Deliver Malicious App via Other Means	ZergHelper abuses enterprises certificate and personal certificates to sign and distribute apps.¹
mobile	T1407	Download New Code at Runtime	ZergHelper attempts to extend its capabilities via dynamic updating of its code.¹

References

Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016. ↩↩↩↩