An iOS app that provided access to pirated apps successfully got through Apple's strict approval process. The Chinese developed app 开心日常英语 (Happy Daily English) appeared to be an English course. But for users physically located in China it was a 3rd party app store that allowed downloading of pirated apps and games. Apple removed the app after it was reported by its discoverer.
The discoverer of the app was the security company Palo Alto Networks who call it 'Zerghelper' and mark it as 'riskware'. That means the app in itself is not harmful. But because it downloads pirated apps and games it can retrieve code of which the security can't be guaranteed. Therefore it exposes a risk to users, Palo Alto Networks explains in a blog post.
But there's more, the app also abuses certificates to sign and distribute apps which haven't been approved by Apple. It also asks for an Apple ID which it then uses to login to Apple's servers to perform operations in the background and it uses some techniques that could be used by malware to attack iOS.
The techniques the developers employed were very sophisticated. Palo Alto Networks reports the app "re-implemented a tiny version of Apple’s iTunes client for Windows to login, purchase and download apps."
And there's more, "It also implemented some functionalities of Apple’s Xcode IDE to automatically generate free personal development certificates from Apple’s server to sign apps in the iOS devices – which means the attacker has analyzed Apple’s proprietary protocols and abused the new developer program introduced eight months ago."
The English learning part of the app, presented to users outside of China, is based on an open source app which likely helped to get it approved. The developers of Zerghelper embedded their own code inside this app. The approval process of the iOS appstore was likely bypassed because the app connects to a webpage to activate its pirated app store. If the server of that webpage detects an user outside China nothing happens as well as when the server is down. The developers of the app likely shut down their server until the app was approved so the Apple reviewers never got to see the pirated app store.
