ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. [1]

ID: S0287
Platforms: iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 11 December 2018

Techniques Used

Domain ID Name Use
Mobile T1475 Deliver Malicious App via Authorized App Store

ZergHelper apparently evaded Apple's app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.[1]

Mobile T1476 Deliver Malicious App via Other Means

ZergHelper abuses enterprises certificate and personal certificates to sign and distribute apps.[1]

Mobile T1407 Download New Code at Runtime

ZergHelper attempts to extend its capabilities via dynamic updating of its code.[1]