PUA Operation Spreads Thousands of Explicit Apps in the Wild and on Legitimate App Stores
One of the most popular ways to make money online is through pornography—whether through legitimate distribution or different online scams. Last year we detected a new variant of the Marcher Trojan targeting users through porn sites, and the year before that popular porn apps were used as lures to compromise millions of mobile users in South Korea.
Recently, another scam has been leveraging this particular lure. We spotted a large amount of porn apps with Chinese user interfaces (UI) spreading on iOS and Android platforms, with some even finding their way onto the Apple App Store. Thousands of these Potentially Unwanted Apps (PUA) are spreading through promotions on porn websites, post bars (forums on popular platforms), and advertisements on other apps. They are not overtly malicious, but do gather sensitive information about the user and are capable of intercepting private SMSs on Android devices.
We’ve identified that these porn PUAs are aggressively spreading and also camouflage themselves when they are outside of a certain region. The distributors—so far we’ve identified two that are funding thousands of these apps—are also impersonating reputable companies to gain enterprise certificates for this PUA scam. It’s a convoluted operation for porn apps that don’t even play the videos they promise users—the distributors profit by pushing users to download more apps and buy VIP access that leads nowhere.
The distribution method for these apps uses three layers: affiliate links (usually found on porn sites or post bars), the installation layer (often disguised as a legitimate app installation site) and root servers (used to produce and store the PUAs). The user encounters affiliate links, is led to the installation layer, and then is prompted to download the app from the root servers.
Figure 1. The distribution goes from affiliate links to the installation and then the root servers
This is a technique that easily allows the PUAs to be distributed across different operating systems. In order to do so, these websites collect information from the user’s machines. Once the OS is established, the users are led to different URLs that direct them to download the PUAs.
Figure 2. How a site installs apps based on the browser version
We’ve identified several porn websites that leverage these http redirect requests to distribute different types of porn PUAs. This distribution method has been quite successful and the apps are spread across different Asian countries, mostly affecting Chinese-speaking areas, which is likely due to the language of the UI:
Figure 3. Distribution of Android PUAs per country
Porn Sites containing PUA links
Figure 4. Websites redirecting to porn app download pages
A look into the PUAs
From the information gathered, we have noted that the porn PUAs are divided into different labels. We then compared this with the number of the PUAs per label detected in 2016 and in 2017. There was marginal growth—the number of apps in 2017 Q1 is about 0.53 million, which is around 10,000 more than 2016 Q1.
|Installation Layer Domain||
|激情快播 (SexQvodPlay)||iosldy. hzt88. com||obqpjufoz. qnssl. com|
|AV大片 (AVPlayer)||html5. jiuxinsj. com||o4bqvkk4i. qnssl. com|
|优优快播 (UUQvodPlay)||waszyy. com||www. mhc01. com.|
|www. mhc01. com.|
|春爱影院 (SexMovie)||wdfw. ksmsmk. com||pa. 51cgj. com|
|幻想影院 (DreamMovie)||csdt. isoucha. com||pa. 51cgj. com|
|绝密影院 (BannedMovie)||wtce. eduigou. com||pa. 51cgj. com|
|AV快播 (AVQvodPlay)||html5. jiuxinsj. com||iosipa. ywdapaia. com
|成人影院 (AdultMovie)||html5. senruilicai. com||iosipa. ywdapaia. com
|快播鸡年版 (QvodPlay Rooster Version)||ios. syjlzs. com||www. hymxz. com|
|快播2017HD版 (QvodPlay 2017 HD Version)||wap. zgqlxw. com||pre. ghbyl. com
Table 1. The different labels of these porn PUAs
There are a variety of apps under the labels—one label actually had 100 different apps, and each of the different apps had about 100,000 copies. For the iOS platform, we detected about 52,000 porn apps from the host servers, with Android apps making up the remainder.
Details on the PUA distributors
As mentioned above, we’ve seen many root distribution servers that produce and store hundreds of thousands of porn apps, and from these domains we can search the registrants and gather more details. Our results confirm that the apps under the labels “快播鸡年版 (QvodPlay Rooster Version)” and “快播2017HD版 (QvodPlay 2017 HD Version)” are produced and distributed by the same people. All the apps under the labels “春爱影院 (SexMovie)”, “幻想影院 (DreamMovie)”, “绝密影院 (BannedMovie)” are spread by the same person as well. We can also confirm that several of the PUA-affiliated sites are registered to the same user.
Figure 5. The boxed porn PUA-affiliated sites are registered to a user with multiple sites to his name
Figure 6. These boxed sites are also registered to one user with multiple websites under his name
What’s more, from the payment information, we found only two payees for all these thousands of porn apps. The two payees are separate entities and we found no evidence to connect them.
Legitimate enterprises compromised for iOS porn PUA distribution
To get an app into the Apple App Store, a legal entity needs a D-U-N-S® number to register for an enterprise certificate. However, to get a D-U-N-S® number, they must provide details about their company, including a business license and other requirements to verify the identity of the company. This list of requirements makes it very hard to get a certificate illegally.
Though difficult, criminals still fall back on some methods, such as:
- Obtaining legitimate companies’ D-U-N-S® number
- Getting the required registration information needed for an enterprise certificate through phishing or an underground market
The porn PUAs are signed by different enterprise certificates from several well-known companies, but we found that there were no enterprise apps for the legitimate entities listed. The PUA distributors probably stole enterprise information, and impersonated these companies to gain legitimate certificates for the distribution of their apps. We actually noted that a number of porn PUAs under the same label were signed by the same certificate.
Groups that try to fraudulently obtain enterprise certificates are not new to Apple. We’ve already written about how a third-party app store misused Apple’s Developer Enterprise Program to distribute their adware apps. The developers of these porn PUAs went a different route, impersonating respectable companies to gain enterprise certificates.
Profiting from porn PUAs
As mentioned above, the main purpose of these porn apps are to make profit. Usually, these apps supply users with a free preview, and then ask for a membership fee to continue viewing. However, with these PUAs, even those who paid for membership cannot watch these videos. Apps will continually show pop-ups asking for payment and encouraging users to upgrade their membership, but even those who pay for the highest level of membership can’t view these videos.
Figure 7. Payment view within the app—the most exclusive membership is 68 Yuan, or roughly US $10
Figure 8. Code snippet for payment view and functions
Malicious behavior of porn apps found in the wild
So far the distribution of these porn apps has been consistent with other PUAs—grayware that may be installed with a user’s consent but have unwanted impact, like multiple advertisements or installing other porn apps. Some also discreetly collect sensitive information that the users may not want to divulge. The Android porn PUAs we found in the wild are actually capable of accessing private messages, user location, contact information, device ID, and the device’s SIM serial number.
Unlike those on Android, the iOS porn PUAs found in the wild were less invasive and more focused on spreading. After launching, these apps will connect to the remote server and request the download app list. They will then encourage users to click the images and install more of these apps.
Figure 9. Snippets from the code showing the app list request
For the iOS apps signed by the fraudulently-obtained enterprise certificates, there is a mitigating measure from Apple. The iOS prompts users to manually trust the enterprise certificate through Settings > General > Device Management before launching the app. However, once you trust these enterprise certificates, any apps installed later that are signed by these same certs will be trusted. You will not be prompted again.
Malicious behavior of iOS porn apps in the Apple App Store
Entities who develop and spread PUAs are constantly trying to maintain a presence on the App Store and bypass Apple’s review process—for these particular porn PUAs there may be a variety of methods used to camouflage the apps. So far, we’ve noted three particular tactics used to disguise PUAs as benign apps: local configuration, becoming “containers”, and using location evasion tactics.
The PUAs that leverage the local configuration tactic are typically disguised as browsers or small games. Once downloaded, they add a “quick view” or pop-up button that redirects users to a porn site and lures people to install the PUAs.
Figure 10. Samples of the disguised apps and the preview window PUA lure
Figure 11. Porn URLs store in the local file or plist file
Apart from the apps that carry porn site URLs inherently, there are also many apps embedded with porn search tools, like the above song app.
The second tactic mentioned works as follows: the app first requests a plist configuration file from the remote server, and once downloaded, it alters the user defaults. They act as containers that display content they get from the remote server. The content could include links to porn sites (as we described above), links to more apps, or even porn search tools.
Figure 12. Code snippet showing the plist request
Figure 12 shows code from an app managed by “dmoe[.]cn”. Once the app launches, users are redirected to the specific site that the server returned. In this example, users are linked to a porn site called “Caoliu community”. The landing page of the site also promotes various porn resources. Moreover, the site will automatically redirect the user to the Apple App Store to download yet another porn PUA. The app in question has already been removed by Apple.
Figure 13. The container app (a) redirects users to a porn site (b) that goes to another porn app download page (c)
The last camouflage tactic mentioned involves leveraging the user’s location information. If the user’s data is disconnected or the app is accessed outside of a specific country, the app disguises itself as benign. In the example used in Figure 14 we see that the PUA suddenly behaves as a “Quotes and Sayings App” when outside of the specified region. However, the app will switch back to spreading porn PUAs when used within the specific country.
Figure 14. PUA disguised as normal apps
These apps can use third-party IP services that recognize where IPs come from, or mobile country code (MCC) and mobile network code (MNC) information taken from the user. They leverage the location information to try and bypass Apple’s review process by disguising themselves in countries with stricter app regulations.
Figure 15. Snippet showing how they use location to escape Apple’s review process
As mentioned above, these apps request the URLs of other porn PUAs from the remote server. These URLs change frequently, and Figure 16 shows how these apps continue to spread. From this perspective, we can see that these PUA developers are willing to spend time and resources to circumvent Apple’s review process to distribute more and more of these apps for greater profit. We identified three methods that they use, but there could be more techniques involved as well.
Figure 16. Apps linking to more PUAs and porn sites
Although these PUAs are grayware that function within the boundaries of law, the distributors are using illegal methods to gain enterprise certificates and operate as legal enterprises. They are also using location evasion tactics, collecting user information, accessing private communications on Android devices, and scamming users out of their money by failing to deliver the videos they promise.
Our samples show that this operation affects mostly Asian countries, but it highlights effective distribution methods and techniques that can help malicious apps bypass review processes. These can be easily adapted and used by other malicious actors. And as the information shows us, these distributors are quite limited—we counted only two entities—but they managed a large-scale operation which reached across Asia and even into Europe. Pornography has been a particularly successful lure for these kinds of scams, and it continues to be a popular tool for compromising mobile users.
Risks and Mitigation
We recommend that users be careful about downloading apps from third-party app stores. When choosing to download from these sites, users are exposing themselves to various security threats like these PUAs. Organizations should put policies in place to reduce the risk from these malicious apps, such as blocking unapproved app stores and safeguarding personal devices. Mobile security solutions such as Trend Micro™ Mobile Security blocks threats from app stores before they can be installed and cause damage to devices, while Trend Micro™ Maximum Security offers in-depth protection for multiple devices and can automatically detect and delete Potentially Unwanted Applications.
We have disclosed our findings to Apple and worked with them to take down the PUAs on the Apple App Store. A list of Indicators of Compromise (IoCs) comprised of related hashes (SHA256) and malicious domains can be found in this appendix.
Incoming search terms