TutuApp hits the top of the French iOS App Store’s search trends and that is worrying.

TutuApp – the most famous alternative app store for iOS that lets you install your favorite apps for free and other so-called premium versions of famous apps outside of the official App Store – sits now at the top of the French iOS App Store’s search trends.

Picture1

TutuApp lets you install apps like FIFA, PUBG or other games (that you would have to pay for on the official App Store) for free. It also offers multiple “premium” versions of well-known apps such as Whatsapp, SnapChat, Youtube or Spotify which supposedly come with premium or advanced features for free.

Picture2

This situation means that users are explicitly and actively searching for it on the App Store. But the app is only available on the developer’s website and has to be installed from there, outside of the official App Store: this is what we call an Application Sideload.

What do you usually do when you don’t find an app on the App Store? You Google it!

See what it looks like in the below video:

Sideloading an app like that takes no longer than an average 40 seconds and the danger behind this is obvious: installing an app that hasn’t been checked by Apple. Do this and you may end up with a spyware sitting on your favorite device without noticing anything…

Since iOS 9, Apple made it harder to launch sideloaded apps and introduced the requirement of explicitly trusting the developper’s certificate. But TutuApp have established an easy-to-follow procedure in order to help you trust their certificate. Users are being trained to do so…

Let’s see how it is possible to detect a sideloaded apps and protect your company’s data in such a situation. In the below video, the iPhone is managed by an EMM solution (AirWatch in this case).

A user installs TutuApp and is immediately alerted about the threat by the Lookout for Work app. Beside alerting the user and guiding him through the remediation process, Lookout immediately blocks outgoing traffic to specific destinations / domains that the company has previously configured as part of their incident response flows and remediation policies.

The blocking is only lifted once the issue is resolved.

In this example, we configured our AirWatch Secure Email Gateway’s hostname to be blocked in case a threat is detected, this ensures that the user cannot sync his emails while the threat is still active on the device. We also blocked the google.ch domain for the example. This is made possible by Lookout’s On-Device Remediation feature, allowing you to block any URL or even to completely cut the internet connectivity, see below:

Application sideload remains one of the most common and exploited threat vectors on mobile devices (iOS and Android).

Contact us today at mobility@aim-services.ch to get a free mobile security analysis about the applications installed on the mobile devices that you manage with your EMM solution. You’ll be surprised to notice that a wide percentage of your users have already sideloaded dangerous apps!