Investigation report about the abuse of the Mac Appstore

For any questions I can be reach on Twitter (@privacyis1st)

This investigation report contains an applications analysis of 7 different Apple developer accounts (identified so far — maybe there are many others that I could not find) that are orchestrated by the same Chinese developer (NSLog output to console while debugging are written in Chinese language — also the companies like Netozo Limited or Wildfire Technology are incorporated by Chinese people).
Thanks to Jeff Johnson for feedback on this article. (@lapcatsoftware)

Why I found it abusive:

1. most of the applications published under this developer accounts that will be described below are using the same pattern of “command-and-control — the term is used in the malware world and is attributed to a malware that can receive commands from a server for doing certain things” technique used by malware, in order to bypass or hide things from the Apple review team and change the application UI in order to gain as much as revenue as possible. The technique was used in past by well-known PUP (Potential Unwanted Program — term used in the antivirus industry) actors.
2. MacOS Apple Appstore fake reviews fraud to mislead Apple users
3. an abusive download of data that is not related to the application purpose
4. abusive and anti-competitive behavior — multiple spams of the same applications in order to gain as much market-share as possible in some niches

Developer accounts identified so far as been orchestrated by the same developer with their top download/sold applications

1. Sunnet Technology Inc (https://www.sunnettechnology.com) — PDF Reader for Adobe PDF Files — Top #1 US Chart Education — TeamIdentifier=WJMTXR4JNU — https://apps.apple.com/us/developer/sunnet-technology-inc/id1462610187
2. Netozo Limited (https://www.netozolimited.com) — Word Writer Pro — Top #52 US Chart Business — TeamIdentifier=758H5UDNCP — https://apps.apple.com/us/developer/netozo-limited/id1550051609
3. Safeharbor Technology L Ltd (https://www.safehartechnology.com) — Screen Recorder — Top #12 US Chart Education — TeamIdentifier=6N53BTGWL7 — https://apps.apple.com/us/developer/safeharbor-technology-l-ltd/id1615941866
4. Wildfire Technology Inc (https://www.wildfiretec.com) — Webcam Expert — Top #68 US Chart Photo & Video — TeamIdentifier=QL99V46A4M — https://apps.apple.com/us/developer/wildfire-technology-inc/id1620099135
5. Boulevard Technology Ltd (https://www.boultechnology.com) — Streaming Browser Video Player — Top #8 US Chart Entertainment — TeamIdentifier=B2MV8Q5A9K — https://apps.apple.com/us/developer/boulevard-technology-ltd/id1603166595
6. Polarnet Limited (https://www.polarnetlimited.com) — PDF Editor for Adobe Files — Top #11 US Chart Business — TeamIdentifier=33CT73RPKY — https://apps.apple.com/us/developer/polarnet-limited/id1564247051
7. Xu Lu (https://sites.google.com/view/pdf-reader-pro/support) — support email is pointing to support@sunnettechnology.com — PDF Reader — Top #25 US Chart Productivity — TeamIdentifier=9ZXZ48W276 — https://apps.apple.com/us/developer/xu-lu/id1182218534

Similarities and connections to the same person orchestrating this developer accounts:

• All the domains are using Cloudflare in order to hide their hosting provider.
• The MX server used by this all domains is paid service of Zoho

• The registrar of the domains is Godaddy with privacy enabled feature
• All the domains have “app” or “vpn” subdomain (will discuss for what is used in the analysis of some of the applications)

• The Privacy Policy website presented on the Apple Appstore is using Google free websites in all cases:
  Sunnet Technology Inc — https://sites.google.com/view/sunnet-pdf/privacy-policy
  Netozo Limited — https://sites.google.com/view/docs-writer/home-support/privacy-policy
  Safeharbor Technology L Ltd — https://sites.google.com/view/screenrecords
  Wildfire Technology Inc — https://sites.google.com/view/webcamexpert/privacy-policy
  Boulevard Technology Ltd — https://sites.google.com/view/docs-writerpro/support/privacy-policy
  Polarnet Limited—https://sites.google.com/view/documentwriterpro/privacy-policy
• Some applications are using bundle identifiers of another connected company name (e.g the application called PDF Reader for Adobe PDF Files — appid: 1558962121 — is using the bundle identifier — netozo.pdf )

• Password used to decrypt the JSON used to hide/bypass the Apple review team is the same on all the applications from this accounts: “oKRZzDrJnqXAKw9bCBmPmndwqhfW3qQLG”
• Most of the applications are using AES encryption using slightly modified names of ftCode, ftDecode, ftEncrypt, ftDecrypt.

• The GET request that an application is doing to get the encrypted JSON to the app.domain.com is using the same pattern:

Command-and-control technique used via an encrypted JSON that is requested to app.domain.com at application runtime.

The application I choose to analyze was the PDF Reader for Adobe PDF Files. The reason of my choice was that the application is in Top most downloaded/sold application from the US Mac Appstore.

In the screenshot below the application is connecting to the app.sunnettechnology.com domain and requesting encrypted data at the application runtime.

Before starting to dig into the application I had to make some tweaks, because the developer had enabled the Hardened Runtime and the lldb debugger was prevented to attach to the process.

The tweak to bypass this was to create a self-signed code certificate and resign the application in order to add the following line “<key>com.apple.security.get-task-allow</key>” into the application entitlements.

Now launching the application in lldb and adding a breakpoint to the ftDecode — 000000010006bd40

At this point the application did the connection with the server and got the encrypted data

Navigating through registers I found the same encryption password “oKRZzDrJnqXAKw9bCBmPmndwqhfW3qQLG” used to decrypt the “command-and-control” JSON file.

To decrypt the encrypted data I used the code from this Github repo (https://github.com/Gurpartap/AESCrypt-ObjC) and came out the following JSON:

The parameters from the screenshot above are also hardcoded in the applications this developer has published under the mentioned 7 developer accounts. (e.g changeUIByReview — set to 1 means that the UI will be different to the end user than the one showed to the review team) — most of the parameters are hardcoded in plain text or minor obfuscated to bypass a fast strings scan.

This technique used by this application using crafted parameters encrypted inside a JSON was well-known in the PUP world but seems now they moved among in the Apple Appstore competing with genuine hard-working developers.

The parameters of the notification title, content, url can be also sent to the application in order to trigger notifications to the end user (same as the all-known PUP did a few years ago to mislead Mac users to buy subscriptions)

Example spotted used to hide things from the Apple review team

By modifying parameters “forceUpdate” to 1, “changeUIByReview” to 1 will trigger a window.
If the “forceUpdate” is 1 “changeUIByReview” is 1 and the “inReview” is set to 1 the window will not appear anymore.

The test was done using Burpsuite(software security application used on a wide range of fields, from penetration testing, web audit, intercepting applications traffic, web security and many more) and passing the modified encrypted JSON on the fly into the original HTTPS Response.

Adding to parameter “notification” the title:”testing article” and content: “testing article” and url: “example.com” will trigger again a window with the specified text. If the user will click the OK button the default browser will open the website example.com.

What is deceptive about these two windows is that there is no close button or cancel. The end-user will have simply to click the only button available. The user will not be able to quit the application without clicking that button — the only way to quit the application is by terminating the process using Activity Monitor.

Again if the parameter for the “inReview” is set to 1 the application will not display any window.

This JSON can be used to send any message to the end user such as buying whatever the developer wants or sending any misleading message that will result, maybe, in more revenue gain.

Downloading unnecessary suspicious data that is not related to the application

Another strange behavior of some of these developer applications is the following: at runtime, after they receive the JSON with some crafted parameters, the application is contacting a gitee repo at https://gitea.com/wyqa2017/test/.
In this repo is a file called 3f5e3259fcf6be361a311614c99300cf that contains also some encrypted data.

The password used to decrypt this data is also “oKRZzDrJnqXAKw9bCBmPmndwqhfW3qQLG” and the decrypted data is:

Decrypt-Encrypt[2610:52483] data {“NextUrlList”: [“”], “OfferwallIPList”: [], “VPNCrtFileWindows”: {“crt”: “ — — -BEGIN CERTIFICATE — — -\nMIIDKjCCAhKgAwIBAgIIA34tfgY8KZAwDQYJKoZIhvcNAQELBQAwMzEMMAoGA1UE\nBhMDY29tMRMwEQYDVQQKEwp3aW5kb3dzYXBwMQ4wDAYDVQQDEwVtaWNybzAeFw0x\nNzExMTMwNjA1NDJaFw0yMDExMTIwNjA1NDJaMDMxDDAKBgNVBAYTA2NvbTETMBEG\nA1UEChMKd2luZG93c2FwcDEOMAwGA1UEAxMFbWljcm8wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQCslJcAkJ3VxQprmlSOHYxwijD529iO4ncafiyWNDxL\nsNfOQURvGPAbxdI/4THIlkUdqqgKsdZQR9+Nz0hw9BT7r3bWVfH4RcUjKj88cEvv\nI3QtsMUlpCdRVgC3IEix415rESJj2ft+cg7GmUC/csiyLQPo5oJ6ODqy/OfMggw1\nmepHlBoNqIrboW2lGvYxLJSzNyNRikMfxwoGj/mT21nx82czEVjFga7OBBdRk5h/\nkxuThiojZGXnMe7lW6Wu0lMh8WoJtGFiajBniDixBIIFA83Z5WQXlXrz9G5JCRxt\n4rcnNSZ2X3VM5TMDBxz3o55j+0CEvDWqkkwL3JTxwkYBAgMBAAGjQjBAMA8GA1Ud\nEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTt91fa/zxuz52t\nv1HIb5+Wnn+h3TANBgkqhkiG9w0BAQsFAAOCAQEAX1afcfPxKzHSbe9Y7aBWSuX6\nBFa5SBLKU0cboVOUnmKi+4bq8yXJgH3U6eiEpuUYxbVeH9C/ybzOrPVdtEUQ+d4s\nWEWMjiBhCC7p39I8LM8HaHaVUJ/lOP4B8kooU5I8lV1/ZZKnD7Xcos7YYkHsR2Ni\nytnbay/xFLj/bxxG/hptjitKwg3K1ua+396HpCSKVKF+295GIIdGZlzJkgtFWca8\nNJFxrTzcRSIi+jCuVxIGhpH7hx6IbZH01+XEiFGZopxxGh8CsdBum+dYbjaSbh1z\nfXr2+Qs5J0Ae6zgua+dmgJw0UTXwC2idxnChPS4DNOnn+3YtJLwml2GjIrewpA==\n — — -END CERTIFICATE — — -\n”}, “VPNIPList”: [“host.wqvpn.com”, “vpn.appreviewplay.com”, “159.65.236.84”, “167.172.150.116”], “VPNCrtFile”: {“domain”: “01faf38365151f8d966bf5960242fb9e.com”, “crt”: “ — — -BEGIN CERTIFICATE — — -\nMIIFlTCCBH2gAwIBAgIRAON5pB3R+tZUplccJjP47GcwDQYJKoZIhvcNAQELBQAw\ngZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO\nBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD\nVQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg\nQ0EwHhcNMTcxMTAxMDAwMDAwWhcNMjAxMDMxMjM1OTU5WjBsMSEwHwYDVQQLExhE\nb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMTEw\nLwYDVQQDEyh3d3cuMDFmYWYzODM2NTE1MWY4ZDk2NmJmNTk2MDI0MmZiOWUuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4aJr0+cgsI+6gttHADm0\nvfRNY2dlbiIZODwZmZxzcG+hZZcd0J6Dxz6AbE9SIpT/5Rfr9GYR3hm84abrr2sc\nu1fi772hC4QkX6NQPIxqWHZOT8sFejxUvyq24hZXebdpOJGxQSm00YtaCNqq1tzT\nVJ5yu5nqIVuMFaUUhmDc9JHhtg9exkfcsXpzoNXHEo2yjK/pnlpqtK2snBEqJU1h\nJg4crXsiB6CYYUZBJXychkXr9mTsIWABA8IJw9gtUXFzSApKhUv4GFgH3QjbHh0/\niNA0V3r2N6t8oGqd2RKBbvGmbv3Tw+05srPKqh59ohMUbUA38LIMO0T74Tndrjkq\nzQIDAQABo4ICCzCCAgcwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucw\nHQYDVR0OBBYEFBjh4rPJombPDzPMYuq6nFs9lMemMA4GA1UdDwEB/wQEAwIFoDAM\nBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNV\nHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2Vj\ndXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNo\ndHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9u\nU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKG\nQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRp\nb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv\nbW9kb2NhLmNvbTBZBgNVHREEUjBQgih3d3cuMDFmYWYzODM2NTE1MWY4ZDk2NmJm\nNTk2MDI0MmZiOWUuY29tgiQwMWZhZjM4MzY1MTUxZjhkOTY2YmY1OTYwMjQyZmI5\nZS5jb20wDQYJKoZIhvcNAQELBQADggEBACGnQCCD7zQCyGNXzDC1MR5Q97aOErvA\nsEY3dQKh3sowNhN/3x1PdpEKvwSGLL+ed4SuA8aY3B8p2Gm2Rpi7FCnOwPzAVmTT\nNXmJN6Y/7KOduNQJgF0+MFVqPCPQpq9mKIe3Az907cQm6/xESYb5VqiYxjJgAmNJ\nTJGcKzaTTernizbpQDsNpU1ZY3M52miUQfr4XB23f9WIBqQ+yAbZilkwYHVpsN9t\nGCuYGLbtdxJC2cgGCxySm4J5CN3SfMVb7Aa70vSH2JCtwkWXpHaf/a4MAb2sZbx2\ndiNJaRub6y/OgOD31HcOj1jj+sD183zX02F0q1af5Uxn/5TrlhgEVnM=\n — — -END CERTIFICATE — — -\n”}, “RequestProxyIPList”: [“app.surfshieldltd.com”, “app.disktookit.com”, “159.65.236.84:7891”, “167.172.150.116:7891”]}
(lldb)

From what I can see there are some VPN IP addresses and VPN certificates that can be used to initialize connections. The domains and IPs are fully functional so I suppose that whatever this is needed for is working properly.

There is also hardcoded string that mention “com.vpn.appinfofromservice” with the class of [SUOutfit getRenderingFromServer:] that is also used to manipulate the user interface.

This “command-and-control” procedure is used to trick Apple reviewers and also update the UI “on the fly” maybe to gain as much as revenue is possible. This seems to work great, because most of the applications of this developer are in the top selling charts, generating thousands of bucks. (e.g the analyzed PDF Reader for Adobe PDF Files application is one of the most sold PDF applications in the macOS US Appstore, competing with legit applications like PDF Expert).

Abusive behavior to spam the same applications from different developer accounts in order to gain as much market share as possible.

While digging into the Apple Appstore under these developers’ accounts I found the following spam copycat applications under the same niches. This technique is used to get as much as possible from an application niche and manipulate the market, making it impossible for the legitimate hard-working developer to compete with. This behavior of spamming multiple same apps under different accounts is strictly denied in Apple Review Guidelines and Apple Developer Agreement.

PDF Readers niche:
Developer account — Sunnet Technology Inc has 2 PDF Reader related applications
Developer account — Boulevard Technology Ltd has 1 PDF Reader related application
Developer account — Polarnet Limited has 1 PDF Reader related application
Developer account — Xu Lu has 1 PDF Reader related application
Total of 5 spam applications on the same niche.

Word Document editor niche:
Developer account — Netozo Limited has 1 Word Document related application
Developer account — Boulevard Technology Ltd has 1 Word Document related application
Developer account — Polarnet Limtied has 1 Word Document related application
Total of 3 spam applications on the same niche

These are just 2 examples, the list can go further with screen recorders, streaming apps, or photo editing apps.A legit developer will have hard times to be able to compete with this behaviour because most of the rank positions will be occupied by this spam applications.

Appstore review abuse

By using a closer look into the reviews of the applications listed under these accounts it is easy to be seen that this developer is abusing the Apple Appstore review system in all possible ways.

By using a free trial of the Appfigures I could find out that most of the application has 4 and 5 stars reviews only on the US Store. The developer is well known of abusing the Appstore review system under the account of Polarnet Limited were previously reported by other Mac Appstore vigilantes few months ago. At that time, Apple took action and removed many reviews of this developer. https://twitter.com/keleftheriou/status/1515727546221948935

The PDF Reader for Adobe PDF application in the US Appstore has a total of 70 reviews but only the real ones, 1star reviews are with text.

Now if we have a closer look at the PDF Reader — Fill, Sign PDF currently has 600+ reviews of the developer account Xu Lu we can easy notice a pattern for the reviews left by users with 5 stars

The pattern resides in the review text like the strange repeated use of all-caps APP, repeated use of “we” and “us” as if the reviewer is representing an organisation. Most of the 5 star reviews in the US App Store appear to be non-native English. Fake reviews can easily be bought from anywhere in the world.

Now let’s have a look how real reviews of this application looks like

Notice that mostly the 1 star reviews do not have any pattern in regards to text and mostly look native English in grammar.

Since the beginning of writing this report, I had monitored some applications of this developer. The one that I want to mention is called Docs Drop. A few days ago this application had 11–5 stars reviews. Today — 26 Jul — the application has 0 reviews. Seems that Apple scanners caught the review fraud and removed his reviews from the Appstore.

Update: 30th of July

I reported yesterday the application Webcam Expert — Video Recorder for fraudulent reviews. Apple removed partial reviews of this application.
The previously reported application Docs Drop that Apple removed its reviews started again to get fraudulent reviews — this is showing that this developer will do anything it takes to mislead and cheat the Apple Appstore users.

Conclusion
The findings from this report show multiple techniques used by this developer to mislead and cheat Apple Appstore users abusing the Apple Appstore in all possible ways.

Codesign certificates IOC of the mentioned developer accounts
TeamIdentifier=WJMTXR4JNU — Sunnet Technology Inc
TeamIdentifier=758H5UDNCP — Netozo Limited
TeamIdentifier=6N53BTGWL7 — Safeharbor Technology L Ltd
TeamIdentifier=QL99V46A4M — Wildfire Technology Inc
TeamIdentifier=B2MV8Q5A9K — Boulevard Technology Ltd
TeamIdentifier=33CT73RPKY — Polarnet Limited
TeamIdentifier=9ZXZ48W276 — Xu Lu