There comes a time in everyone’s life when they consider, for better or for worse, downloading Pokémon Go. Now it seems scammers are ready for that impulsive moment to arrive, they’re just waiting to redirect unsuspecting players to an app store where they may catch more than Pikachus.

New research from the security firm Trend Micro indicates that bogus third-party stores—a long-running problem for Android—have now been surprisingly successful in targeting iPhone users, tricking them into installing ad-laced impostor apps on their devices. TrendMicro highlights two third-party app services: Haima, which is based in China, and the Vietnam-based HiStore. Both have achieved millions of downloads of their counterfeit Pokémon Go apps for iOS (an impressive and concerning 10 million in the case of HiStore) as well as other fake versions of popular apps like Facebook, Twitter, and Instagram. Haima’s fake Minecraft PE app, by Trend Micro’s count, has been downloaded more than 68 million times. The companies promote their phony apps heavily on social media, luring people into clicking on them instead of searching in Apple’s App Store. And it’s working.

The Hack

In the new scheme, the adware distributors set up their app stores through Apple’s Developer Enterprise Program. The service is meant for companies that want to build and distribute proprietary internal apps to their employees. When a company tricks someone into downloading a repackaged version of an app, the software contains adware that starts evaluating information about the victim’s device and mobile network to serve more targeted ads. Then, as the victim uses the app, ad firms deliver ads to the phone, paying fees to the scammers for the privilege.

Apple has always been aggressive about policing its apps. The company just announced a massive cleanup of its App Store at the beginning of September. And the Developer Enterprise Program gets similar scrutiny. When an app is approved it receives a certificate that Apple can revoke at any time, rendering the app unusable wherever it has been downloaded. But making a new Developer Enterprise account and getting a new certificate costs only $299. So when Apple pulls the plug on one certificate, scammers just start using a new one. While investigating Haima, Trend Micro found that the service used five different certificates over 15 days. Apple didn’t respond to WIRED’s request for comment.

The scheme is relatively simple. But the scammers still put serious effort into ensuring that their apps actually work, so customers will keep using them for as long as the fraudulently obtained certificates remain valid. When Pokémon Go was first released and limited to functioning in certain geographic areas, Trend Micro notes that Haima had a version of its fake app that spoofed location data to get around the legitimate app’s restrictions, allowing people who had unknowingly downloaded the scam version to continue using it from anywhere. As Pokémon Go eased these restrictions, Haima updated the app accordingly.

Who’s Affected?

If you’re sure that you always download your apps from the Apple AppStore or Google Play Store your apps are secure. On the rare occasion that a malicious app actually gets approved and is available for download from these legitimate app stores, Apple and Google are generally swift about removing it, revoking its certificate and notifying customers. If you don’t pay attention to where you get your apps or you’re prone to clicking on random links without considering their origin you could be at increased risk. The best way to protect yourself against downloading fake apps loaded with adware is to navigate to authentic app stores and search for the app you want within them, instead of using an outside search engine or social media.

Fake apps can put your phone’s data and even its hardware like its GPS or its microphone in the hands of bad actors. Christopher Budd, a global threat communications manager at Trend Micro notes that the latest research focused on adware, but scam apps downloaded from unaffiliated app stores put users at risk of being exposed to all sorts of malware. “The biggest thing is the importance of going only to the official app stores,” Budd says. “The mobile malware problem that we’ve seen is almost exclusively a problem with third-party locations.”

How Serious is This?

While repackaged, scammy apps are an old problem, Trend Micro’s research is a reminder that they remain pervasive, and reach Apple devices, too. “As far as iOS this is a fairly unusual and new thing,” Budd says, noting that the sheer number of the downloads—reaching tens of millions—is unprecedented for fake iOS apps. “It’s all about scale,” he says. The research didn’t reveal any evidence that scammers are using truly malicious malware that steals data or other cybercriminal behavior—at least for now. But Trend Micro notes that developers should still take steps to make their apps more difficult to hijack, like obfuscating code so it’s harder for bad actors to access.

The crucial takeaway for consumers, though, is simpler: Use official app stores exclusively for finding and downloading apps. When it comes to mysterious software from untrusted Chinese purveyors, “gotta catch’ em all” is an ill-advised strategy.


Hack Brief: Beware the Spammy Pokemon Go Apps Being Pushed to Millions of iPhones