{
	"id": "1bdf76f5-c5ea-4176-ac1a-5ef788df5de8",
	"created_at": "2026-04-06T02:11:18.019681Z",
	"updated_at": "2026-04-10T03:20:00.356419Z",
	"deleted_at": null,
	"sha1_hash": "e72469ac55205e77fa4a12eac6a5d118fcbd2d24",
	"title": "Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1665022,
	"plain_text": "Pirated iOS App Store’s Client Successfully Evaded Apple iOS\r\nCode Review\r\nBy Claud Xiao\r\nPublished: 2016-02-22 · Archived: 2026-04-06 01:35:29 UTC\r\nApple’s official iOS App Store is well known for its strict code review of any app submitted by a developer. This\r\nmandatory policy has become one of the most important mechanisms in the iOS security ecosystem to ensure the\r\nprivacy and security of iOS users. But we recently identified an app that demonstrated new ways of successfully\r\nevading Apple’s code review. This post discusses our findings and potential security risks to iOS device users.\r\nThe app we identified is named “开心日常英语 (Happy Daily English),” and it has since been removed by Apple\r\nfrom the App Store. This app was a complex, fully functional third party App Store client for iOS users in\r\nmainland China. We also discovered enterprise signed versions of this application elsewhere in the wild. We had\r\nnot identified any malicious functionality in this app, and as such we classified it as Riskware and have named it\r\nZergHelper.\r\nFigure 1: \"Happy Daily English\" available in the App Store\r\nZergHelper presents several security risks, include the following:\r\nIt provides installation of modified versions of iOS apps whose security can’t be ensured..\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 1 of 13\n\nIt abuses enterprises certificate and personal certificates to sign and distribute apps, which may include\r\ncode that hasn’t been reviewed, or abuse private APIs.\r\nIt asks user to input an Apple ID while it also shares some Apple IDs to users. It will log in to an Apple\r\nserver using these IDs to perform many operations in background.\r\nIts author is trying to extend its capabilities via dynamic updating of its code, which could further bypass\r\niOS security restrictions.\r\nIt uses some novel techniques that are sensitive and risky – techniques that could be used by other malware\r\nto attack the iOS ecosystem.\r\nZergHelper appears to have gotten by Apple’s app review process by performing different behaviors for users\r\nfrom different physical locations on earth. For users outside of China, it would act as what it claimed: an English\r\nstudying app. However, when accessing the app from China, its real features would appear.\r\nThe app was made available in the App Store on October 30, 2015. However, nobody appeared to have noticed\r\nZergHelper’s hidden functionality until February 19, 2016, when a user created a post in V2EX (a Chinese\r\ndeveloper forum) to discuss it. We shared our findings with Apple on February 19, and Apple removed the app\r\nfrom the App Store later that day.\r\nZergHelper’s main functionality appeared to be to provide another App Store that includes pirated and cracked\r\niOS apps and games. The app was developed by a company in China that named its main product “XY Helper”.\r\nZergHelper was the non-jailbroken and “official App Store” version of this product.\r\nIn addition to its abuse of enterprise certificates, this riskware used some new and novel approaches to install apps\r\non non-jailbroken devices. It re-implemented a tiny version of Apple’s iTunes client for Windows to login,\r\npurchase and download apps. It also implemented some functionalities of Apple’s Xcode IDE to automatically\r\ngenerate free personal development certificates from Apple’s server to sign apps in the iOS devices – which means\r\nthe attacker has analyzed Apple’s proprietary protocols and abused the new developer program introduced eight\r\nmonths ago. ZergHelper also shares some valid Apple IDs with users so that they don’t need to use their own IDs.\r\nZergHelper’s code is complex and it’s still unclear whether it would steal account information and send it back to\r\nserver or not. The app did send some device information automatically to a server for statistic tracking. The\r\nauthors appeared to be trying to use the programming language Lua to make the app more extensible. Specifically,\r\nZergHelper’s use of the framework means its code could be remotely updated without Apple’s further review.\r\nWe also identified over 50 ZergHelper apps that are signed by enterprise certificates. These apps were spread by\r\nauthors in different channels.\r\nZergHelper’s Spreading and Functionality\r\nZergHelper was designed to be installed in this way: if an iOS user accessed XY Helper’s official website from\r\nChina, the top advertisement banner would prompt a page saying that you could go to App Store to install their\r\nproduct “XY Apple Helper” (left of Figure 2). By clicking the button, the official App Store is automatically\r\nopened and the “Happy Daily English” app’s page is shown (right of Figure 2).\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 2 of 13\n\nThe original “Happy Daily English” app is open-sourced and hosted on OSChina as a project named\r\n“HappyEnglishSentences8k”. ZergHelper authors compiled it and embedded their own risky code. There appear to\r\nhave been at least three people jointly developing it using the usernames of “xi”, “zhang” and “zhangzq”. The\r\nproject’s internal name was XYFactory and the app’s internal name was “AppStore_4.0.1”.\r\nFigure 2: Official website guides user to download ZergHelper from App Store\r\nIf you were to browse the app using the desktop browser or by iTunes client on any platform, the app’s name\r\nwould be shown as “开心日常英语 (Happy Daily English)”. However, once it was installed on an iPhone or iPad,\r\nthe name became “XY助手 (XY Helper)” with the same logo, just like the value of CFBundleDisplayName in the\r\napp’s Info.plist file (Figure 3). Our analysis suggests the authors inputted a different name when submitting the\r\napp to Apple through web form and Apple’s review process didn’t identify that inconsistency.\r\nFigure 3: The app's name is inconsistent with iTunes page\r\nWhen the app launched, it would connect to the URL interface[.]xyzs.com immediately, and take different\r\nreactions based on result of the HTTP request (Figure 4). The webpage was configured to return a 404-not-found\r\nerror if the access comes from an IP address outside of mainland China. In this situation, the app would only\r\ndisplay an English study interface (left of Figure 5) – no other functionality was provided to users in these regions.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 3 of 13\n\nFigure 4: The app provices different functionality based on HTTP request result\r\nFigure 5: Different interfaces will be showed for users from different locations\r\nWe don’t know where the App Store reviewers are located. If they are not located in mainland China, this method\r\ncould trick them into seeing a legitimate app. Even if they’re in China, the author could just shut down that\r\nwebpage during the review period so that reviewer could not see the actual functionality through an analysis of its\r\nbehavior.\r\nFor users in China, the different user interfaces would appear (right of Figure 5). Then the app will guide to install\r\ntwo configuration profiles that it claims are for “resolving stability issues” but will actually install a device\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 4 of 13\n\nenrollment challenge and a web clip (Figure 6). These profiles were signed with a certificate of “xyzs.com” which\r\nwas issued by Go Daddy Secure Certificate Authority on December 2, 2015. Note that the device enrollment\r\nchallenge is used to enroll the device to related MDM (Mobile Device Management) system.\r\nFigure 6: The app asks to install two profiles signed by certificate issued by GoDaddy\r\nThe app provided functionality of directly installing plenty of iOS apps and games to the device. It has pages for\r\nhot apps, hot games, top grossing apps, etc., just like the official App Store (Figure 7). The only difference is, all\r\napps or games provided by ZergHelper are free, which means, they are likely pirated versions of the legitimate\r\napps.\r\nFigure 7: Main user interfaces\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 5 of 13\n\nIn the settings tab, for devices using pre-9.0 versions of iOS, a user could also input an Apple ID and password.\r\nThe password would be remembered by the app. There’s another button used for “I don’t have an Apple ID. I\r\nwould like to receive one for free” (Figure 8). We have not identified where these Apple IDs came from.\r\nFigure 8: “I don’t have an Apple ID. I would like to receive one for free”\r\nNovel Approach to Act as 3\r\nrd\r\n-party App Store on Non-jailbroken Devices\r\nZergHelper used unique ways to build a third-party App Store for non-jailbroken iOS devices. Each of them could\r\nbe used to spread pirated or cracked iOS apps. Two of them are new methods of getting past App Store review that\r\nwe haven’t previously observed.\r\nFake as Tiny iTunes Client\r\nZergHelper implemented the protocols between the iTunes client for PC and Apple’s App Store servers. To be\r\nmore specific, these functionalities have been implemented in the app:\r\nLog into the App Store, cache authentication data, and log out of the account\r\nClick the term of service\r\nGet an app’s information\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 6 of 13\n\nPurchase an app (Figure 9)\r\nDownload the purchased app\r\nWhen communicating with Apple’s server, ZergHelper used a User Agent like this:\r\niTunes/12.0.1 (Windows; Microsoft Windows 7 x64 Business Edition iTunes/12.0.1 (Windows; Microsoft\r\nWindows 7 x64 Business Edition\r\nHence the app is trying to act as an iTunes 12.0.1 client running on Windows 7 system.\r\nFigure 9: Code to purchase an app by simulating the iTunes protocol\r\nWe’re still not very clear in which ways ZergHelper used these functionalities. It’s possible that they were used for\r\nthe Apple ID given by users, or by the “free” Apple ID provided by the app itself.\r\nSimulate Xcode to Apply Personal Development Certificate\r\nThe most surprising approach to installing apps on non-jailbroken devices is how ZergHelper abused free personal\r\ndevelopment certificates.\r\nPreviously, Apple only offered iOS development certificates for registered developers who paid an annual fee.\r\nThis kind of certificate is necessary for anyone to sign an app and then run it on a physical device. From June\r\n2015, Apple began to provide a new program that allows anyone with an Apple ID to receive a certificate for free.\r\nThe functionality is embedded into Xcode since its 7.0 version and so far Xcode is the only official way to use this\r\nfeature.\r\nHowever, ZergHelper could have acted as Xcode to receive a valid personal development certificate from Apple's\r\nauthentication servers, too. Apple doesn’t disclose how this process works and how Xcode is implemented.\r\nTherefore, we think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can\r\nimplement exactly the same behaviors with Xcode – in effect, successfully cheating Apple's server.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 7 of 13\n\nFigure 10: Login to Apple's server\r\nFigure 11: Fetch development certificate\r\nUsing the development certificate, ZergHelper could sign other iOS apps on iOS devices and then install them.\r\nThere are limits on the number of iOS devices that can be authorized to use each certificate. Previously, people\r\nworried about whether the free certificates would be abused by someone to install pirated apps, but this technique\r\nshows abuse in a wide-ranging and automated way.\r\nIn the same week that we were analyzing ZergHelper, we observed someone selling source code that:\r\nAutomatically registers for Apple IDs by reversing protocols in phone and in PC\r\nOffers app DRM authentication from PC for “helper utilities”\r\nAutomatically generates a personal development certificate by an Apple ID\r\nThe information was posted on a famous security forum in China in February 19, and was then deleted on\r\nFebruary 20.\r\nFigure 12: The deleted post of selling related source code (screenshot)\r\nAuthorize Pirated Apps from PC\r\nFor some pirated apps downloaded from ZergHelper’s server, the app asks the user to connect the iPhone or iPad\r\nto a PC for “authentication” with the help of the XY Helper’s Windows version. We have not reverse-engineered\r\nthe Windows client. As far as we know, the purpose behind this is to implement the Windows client like an iTunes\r\nand to trick the iOS device into believing an iOS app has been authorized through the PC. (This attack technique\r\nhas been in use with some tools for years.)\r\nAbusing Enterprise Certificates\r\nZergHelper also abused enterprise certificates in a manner similar to other previously identified iOS malware,\r\nincluding WireLurker, YiSpecter and TinyV. In the app, these kinds of apps are tagged with “install in a second.”\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 8 of 13\n\nZergHelper used the itms-service protocol for these apps’ installation. Compared with previous malware, the main\r\ndifference in ZergHelper is that it would not only download itms-service plist file from C2 server, but it could also\r\nopen a local port to install some apps onsite. This feature may have been designed for apps signed by personal\r\ncertificates.\r\nFigure 13: Enterprise signed apps's PLIST files were hosted either on remote server or the local device\r\nMore ZergHelper Samples in the Wild\r\nApple’s App Store was just one “channel” through which ZergHelper was distributed. The authors also developed\r\nother versions that are all signed by different enterprise certificates. These versions were distributed through\r\ndifferent channels and could be installed to non-jailbroken devices. For example, when you access XY Helper’s\r\nwebsite, you could choose to install it from the App Store or directly from their server.\r\nWe found over 50 ZergHelper samples signed by nine different enterprise certificates. In their “xyChannelId.plist”\r\nfiles, the author specified 32 different channel IDs and 33 different channel names.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 9 of 13\n\nFigure 14: One of enterprise certificates being used to sign ZergHelper\r\nPotential Security Risks\r\nApple’s Code Review\r\nPreviously there have been some malware (e.g., FindAndCall) or Proof-of-Concept apps (e.g., Jekyll) that\r\nsuccessfully made it into the official App Store. The most recent cases are XcodeGhost and InstaAgent. Compared\r\nwith those, ZergHelper has more user interfaces and more significantly suspicious code characteristics. Apple\r\ntypically doesn’t disclose any technical details regarding how its reviewers check apps to confirm they are not\r\nmalicious. But ZergHelper demonstrates new techniques that can evade Apple reviewer scrutiny.\r\nEnterprise Certificate\r\nSince WireLurker, there have been more malware or evasive applications installed on iOS by abusing enterprise\r\ncertificate. The biggest risk around this issue is the combination of enterprise certificate and private APIs.\r\nYiSpecter and Youmi have abused private APIs to collect private information on iOS. ZergHelper took another\r\nstep to automatically generate development certificates for free. This is of concern because the abuse of these\r\ncertificates may be the first step toward future attacks.\r\nApple ID\r\nIn the underground market for iOS tools, Apple IDs have become more and more important. In recent months,\r\nwe’ve seen malware designed to steal Apple IDs (e.g., KeyRaider), take money from them (e.g., AppBuyer) and\r\nshare them (e.g., YiSpecter). Some attackers ransom the stolen Apple IDs or phish for them. ZergHelper’s\r\nfunctionality also relied on valid Apple IDs. We’re still not certain whether ZergHelper could send stolen Apple\r\nIDs back to its server or not. Note that ZergHelper would provide free Apple IDs to its users, and we do not know\r\nfrom where these IDs originated. Use of Apple IDs only continues to grow, especially when we consider the\r\namount of private data stored in iCloud and on iPhones and iPads.\r\nCode Dynamic Loading\r\nApple requires every single update to an app in the App Store to be reviewed again before publishing. For\r\nZergHelper, re-review increases the possibility of exposure. The authors appear to have tried to resolve this\r\nproblem by using a scripting language.\r\nZergHelper used an open source project called wax, “a framework that lets you write native iPhone apps in Lua.”\r\nIn the app, there’s a XYLib.lua file that only contains two functions so far. This Lua plugin will be loaded and\r\nexecuted when the app first launches. Through the wax library, this script could invoke many methods in the\r\nObjective-C runtime.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 10 of 13\n\nFigure 15: Lua plugin in ZergHelper\r\nApple disallows iOS app from dynamically loading new code or dynamically updating themselves. This is an\r\nimportant and useful security mechanism to mitigate the risk of some kinds of vulnerabilities and some malware.\r\nHowever, frameworks or SDKs like wax provide another way to bypass the restriction.\r\nDynamic code loading is a classic method used by malware to hide an author’s true intentions. In the last few\r\nyears popular iOS SDKs that provide JavaScript, Lua or other script languages’ interface to Objective-C runtime\r\nhave emerged. Considering how easy it is to write code in these languages, and how hard it is to analyze or to\r\ndetect them, we think this approach may be adopted by more malware or PUAs in every popular platform (for\r\nexample, the Android Trojan Xbot we recently revealed used JavaScript to implement part of its core\r\nfunctionality.)\r\nMitigation\r\nWe reported the issue to Apple on February 19 and Apple removed the app from the App Store on February 20.\r\nFor iOS users that have installed “开心日常英语” from App Store, or found “XY助手” in your devices, we\r\nsuggest you uninstall it. We also suggest that users check profiles in their iOS devices (by Settings -\u003e General -\u003e\r\nProfiles \u0026 Device Management). If there’s any profile from “xyzs.com”, you should delete it immediately.\r\nAcknowledgements\r\nWe greatly appreciate “i_82” for his help during the analysis. We also would like to thank the author of Surge for\r\ncreating such awesome tool that greatly helped our analysis of ZergHelper. Last, we thank Ryan Olson and Chad\r\nBerndtson from Palo Alto Networks for assistance in developing this report.\r\nIOCs\r\nSamples of the App Store version (DRM stripped)\r\ne618f19d3614063e3b0fbb1c7faee259e38bde8db8972d84a3b25a771db84ef3 EnglishStudy\r\nb1943d0162765e22c0af9b571da2804e4f01d3a063421ee590cab862e8d712be EnglishStudy-v5.0.0.ipa\r\nSamples of enterprise signed versions\r\n03448093b24cea1402a917e18eb08cab82c30a21d981f1b516368ff20c93197c\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 11 of 13\n\n1377d0c4e861e9f10010dd46806b48aef1c379f3aed28d24e839243f2f4d66da\r\n145688e80784e70112a46970683cae86a8b95b78440eb6a28fc45c60dd6f6ac6\r\n16b83e4babf013370005b42f5f8c12ac9551cd33d7125c33d52f67c1634d48d7\r\n1d9def398ad8d16a104ced4b022a54264d8dd20e91418aa81c941caf4c58ffd0\r\n1ea60e84825d4d70ac3ab9a894cb2b1c8013e18a8a29d108261fd3c0419597b7\r\n24a178b69499d418ab522f5a163bd01946ee73e55ba00a94944fba84cbf26ea0\r\n342520e57e77d81bfa79bafa31fc2f31bd57b1c0cd9bc6da5e4ffc148a807ee1\r\n3636d8e86138bd49bc50b44cf96c172cf99991d1ab28cf4a2559e95931f4a8dc\r\n3d00bd0034cb9a9c33d148c799ea9063221392f5227934dd7d700fdb55b53f4e\r\n3d97417399e3df6ecfda2b1e39b199e0db7594dd7c84488435c0cac14c26ad54\r\n40361936d118c7bcac7996b40055c11bd14376b6d96085aa2dd15139ab22e25b\r\n4229be2075f6077c568861ebef5259212bc08eb73f8008a64e35a854c7d01509\r\n48d4c62aaa60dcdda667583629e6fb8f0fcc7257a6e8b11bbb635f5bb6f21563\r\n4fa19e2a1356d9789d1ea016f1ef3515f8562f28864529676114c9b12dfe409b\r\n50812bb0ddb4081aa8c2e5446fad4d79f7d5ec2fc7b0ce0956d662f399df5d45\r\n55d7a24ec0e5d6e860c835bc51c7e6edd69f707645144386ba425da3f444dbde\r\n560dac5b05480520fd1663d5f4199de941a9831dc134c72b309893f0a350c2a7\r\n57a51f660a47742b59680d78d63fdccb85cf7e5d9ed2d92b2099792fc504f69d\r\n5ab7bd81ffc6841b1a2a35c5c7111bf0531f77016cbc1bf8217f173dcc56ef95\r\n5de9ae15cadd45c7dda974eddf79963e373bd8a73270decdc435e972e21ee983\r\n65b8a3305e9559fbcad8b9c9d66a26a32de26186b6d6a312988bfc79a1971dae\r\n677841c97136338965e34fbcb1dee5ba31489956ddf9c4d882c2546e541777fd\r\n69e725fb2ac26e8ab79d38713ac0ae31ac54f004679c20e4c29a91a7f9bff15e\r\n729d00476a1ee18e4b007ac9371d939124b76d1b7ced8a467d870831e2d776da\r\n741076d5e31fdec814994dc67e7211c707810fc298f3ab7795fed3e2ffe55ed9\r\n76a01170720f433ad5e74b015be4479cadc1abcdd746465150af7a2757ac1c1c\r\n7abbc150fc3c4031f1f79f4298f5c88350b73fa13c78b8ef942caf823ffe58f9\r\n7bb46f38e8ee13db399501f26b91c6aa115945b47e4981aa8b9b5a0f8af128b1\r\n7d789803ecc8af55793f2135462c562dddd8a7e168d175b931e0a109500ad1ce\r\n8683822006535a6f485f0b19d5c1c9bdc818569cd50166cdc9ba5f412dbdf0e2\r\n86dea3d6e9ec51e6df84726b9038fd2dbf0f6c9bc9d4e104f3116edc00d47358\r\n886a3056f2249e84c37e6a71c5127edd08176b8816d2b3ff89841c6200ba3828\r\n8a1daed530b6e922a15a03b0a0e42ff156a1dd46683de310abbdfda36a80df8d\r\n8e11487b4b750bcabfa519723dc3d220307d56d419f9545d82622a96cba726f3\r\n95a30c3ccfc6307dccc5525936ffa13c6ea41b7cd21fa0cf0d1017923de0e4e1\r\n9c69ce5aa40eb9c079a1948ea5dcadcda959c2d255d213b93a15e833a3d044a5\r\na29eb57d78cb005d33bc09cb9dca9c41fdbd18b1b4265549bb7a36a05141d71d\r\na48479b5af351902e76e8c3d7daa64f8fe9c471fb4d8ca9461ef5e912aae0e94\r\na625fa12829d11a280d94249cfa0ade257533b595afc0bd8a11fcb47f9aa9414\r\naca2a87ee21e0330b198175ba1184a808d9e429bec9113c26b741f4a1d830c6e\r\nae388c5e5082dd601bf4b971a47fa12d378d59a6fa753deba0750377c4002814\r\nb00d515186ee2c477e100fc3c27c3bf604e03aa907b3f159d7f76a882863c04f\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 12 of 13\n\nb55f265eb6cd87818715019745dc4210f4b9ed5897c9472ec9ef8305df68e09b\r\nbc02100ffed4fa0ed57f0ce8bd4166d3525653f4a99b517c076e3cd4ebd9e50a\r\nbc706f165b125d078753c8d8269894cfc6fd65fa451fa9d6187aea165f1b9ba1\r\nbf13170116efca42592f8b1ef979231038c2150906a70c16b376ee3958e7b309\r\nc6e697e73ecc381b73852881fe682664edc1e4cff8bd142323b88f99c57b86fc\r\nd305044bceb293fd25e40d642666ebac089e659b4550fdae7ef8536bcab876f1\r\nd8f82da11b7fb0ab5ca69c003d8ca626a1b3208ec2557521f6016738c13eda0c\r\nda7d1de9cfb294d3402325daccc35f61764fbc8f0cb3cc7403cfe31fd77f690e\r\nda871fcadb82bc3c4e366dd02580c7e017dc0d0a689a89cf2883c1bf02683c9d\r\ndb2afa588b41c50e1d7fa91f2ba5fe7dd1708a7600736a11e8b5fbf2ea7d665f\r\ndf26f3599ca2ce78de039df0b5f7c83f6c9c445fa126ac8acdfffd2e8b2c44b2\r\nf125bfc07becff2614fac5601f2b2efd9cdde5b37329c6fac543ac2b5686b0ab\r\nfee18c4c4a9f6827c084519d2f5fae11e66d9024c7711af2b0f5f66d8a98403f\r\nRelated domains\r\nhttp://interface[.]xyzs.com/\r\nhttp://tongji[.]xyzs.com/\r\nhttp://download[.]xyzs.com/\r\nhttp://api2[.]xyzs.com/\r\nhttp://software[.]xyzs.com/\r\nhttp://stat[.]das.kingnet.com\r\nSource: http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
	],
	"report_names": [
		"pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review"
	],
	"threat_actors": [],
	"ts_created_at": 1775441478,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e72469ac55205e77fa4a12eac6a5d118fcbd2d24.pdf",
		"text": "https://archive.orkl.eu/e72469ac55205e77fa4a12eac6a5d118fcbd2d24.txt",
		"img": "https://archive.orkl.eu/e72469ac55205e77fa4a12eac6a5d118fcbd2d24.jpg"
	}
}