Software pirates are distributing hacked and infected versions of iPhone apps by hijacking Apple’s enterprise developer program.
Reportedly, the hacked apps include versions of Minecraft, Spotify, Angry Birds, and Pokemon Go. These apps have been modified for making paid content/features available for free to deprive the original developers and Apple of their due revenue share and for blocking in-app ads. For instance, a version of Minecraft that’s available on the App Store for $6.99 is now available for free.
Hackers are using the enterprise developer certificates for letting people stream music ads and enjoy the different features of the game without paying any fees which is a blatant violation of the terms of service for the apps.
The pirates are known for developing apps like Panda Helper, TutuApp, TweakBox, and AppValley. Although Apple cannot track the distribution of modified versions of its apps it can cancel the certificates.
According to Apple’s spokesperson, not only the company can terminate the apps certificates on the grounds of violating the App Developer Enterprise Program Agreement but may also remove them from the Developer Program forever.
As soon as Reuters reported about the distribution of hacked apps, Apple banned many such apps but these immediately resurfaced under different certificates. This means Apple cannot control the hackers’ access to its enterprise certificates. Furthermore, Apple has confirmed that it will now ask developers to add 2FA authentication to their accounts by the end of February.
It is worth noting that this discovery comes soon after it was identified that several popular apps have been secretly recording screen activities of iPhone users. These apps also violated Apple’s term and conditions. The complete list of these apps is available here.
The abuse of Apple’s certificates was identified after Facebook was found to be using them to distribute an app that allows teenagers to track their phone’s usage. Further probe revealed that Google was also offering a similar app.
As per the assessment of TechCrunch researchers, it is quite easy to get the required certificate to publish hacked apps because it only takes a one-time payment of $299 along with some information about the company. People who can access these developer certificates are selling them on online platforms due to which multiple apps are registered under the same enterprise certificate.
