Hackers used Apple tech to put malicious apps on iPhones

Hackers used Apple tech to put malicious apps on iPhones

Hackers used Apple tech to put malicious apps on iPhones

But a group of "illicit software distributors" including "companies" like TutuApp, Panda Helper, AppValley, and TweakBox have been caught wrongfully using enterprise developer certificates to bypass App Store verification.

Software distributors like TutuApp, Panda Help, AppValley, and TweakBox did not respond to a request to comment, Reuters said.

Many of these underground app marketplaces have their own ads to make money, and a few offer paid subscriptions with access to exclusive hacked content and other perks. However, it can cancel certificates if it finds that they are being misused.

Dozens of porn apps and illegal gambling apps sneaked into Apple's App Store by gaming its Enterprise Certificate program created to let large companies build in-house employee apps.

Numerous certificates were also fraudulently applied for using the name of legitimate companies, with TechCrunch reporting that the process of applying for the certificate only involved filling in a web form with some details of a legitimate company which could easily be acquired from a web search, paying $299 to Apple and answering a phone call a few weeks later.

The worldwide gross app revenue of the Apple App Store equalled $38.7 billion (2017) and $46.6 billion (2018).

Last month, Apple briefly pulled enterprise certificates from both Facebook and Google after discovering that the companies used them market research apps that gathering people's data.

Niantic, which makes Pokemon Go, said players who use pirated apps that enable cheating on its game are regularly banned for violating its terms of service; Microsoft Corp, which owns the creative building game Minecraft, declined to comment. Apple's only recourse is to continue hunting down and revoking the certificates that are being misused, while also tightening up its Developer Enterprise program in the process, both in terms of the requirements for admission and the auditing of companies participating in the program.

Apple will reportedly take steps to fight back by requiring all app makers to use its two-factor authentication protocol from the end of February, so logging into an Apple ID will require a password and code sent to a trusted Apple device. Since these apps are not going through Apple's App Store screening, there is a higher chance they may contain malware or tracking software. Several pirates have impersonated a subsidiary of China Mobile. The misuse of the enterprise certificates seen by Reuters does not rely on jailbreaking and can be used on unmodified iPhones.

Related news

[an error occurred while processing the directive]