Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0287: ZergHelper

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. [1]

MobileS0287MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

ZergHelper matters less as a known malware payload and more as a mobile software assurance warning: MITRE describes it as iOS riskware that apparently evaded Apple App Store review, with no malicious functionality identified. For leaders, the practical issue is that app-store presence alone is not sufficient evidence of safety when an app can present security risk or use behavior such as downloading new code at runtime.

Executive priority

Treat this as a mobile governance and assurance case. Security, privacy, and compliance owners should ask whether the organization can identify risky mobile apps, justify mobile app allow/deny decisions, and produce evidence that managed devices are not relying solely on app-store review as a control. The relationship to Download New Code at Runtime raises prioritization questions for mobile application vetting, MDM policy, and incident response readiness around apps whose behavior changes after installation.

Technical view

ATT&CK provides no object-specific detection text, platforms, or tactics for ZergHelper, but the official description identifies it as iOS riskware and the relationship says it uses T1407, Download New Code at Runtime. SOC, mobile security, and IR teams should validate whether they can observe installed mobile apps, app provenance, network connections made by mobile apps, and indicators that an app retrieves executable or interpretable code after installation. Because MITRE notes no malicious functionality was identified, triage should avoid assuming compromise from name alone and instead focus on risky behavior, enterprise policy violations, and device exposure.

Likely telemetry

  • Mobile device inventory and installed application lists from managed devices
  • Application provenance and installation source information where available
  • Mobile device management or enterprise mobility management compliance events
  • Mobile network/proxy/DNS logs showing app communications to code or content delivery locations
  • Mobile application vetting or sandbox results, especially evidence of runtime code download behavior

Detection direction

  • Validate coverage for the related behavior T1407: applications downloading and executing dynamic code not present in the original package after installation.
  • Tune detections to distinguish riskware or policy-violating behavior from confirmed malicious activity, since the supplied ATT&CK description states no malicious functionality was identified.
  • Review blind spots where unmanaged iOS devices, personal devices, or limited mobile telemetry prevent confirmation of installed apps and runtime behavior.
  • Use relationship context to prioritize behavioral review over static app-store trust; static review may miss code retrieved after installation.
  • Correlate mobile app inventory, network activity, and compliance status before escalating to incident response.

Mitigation priorities

  • Establish or review mobile app governance that defines approved, risky, and prohibited application categories.
  • Use MDM or equivalent mobile management controls to maintain app inventory and enforce app compliance on managed devices.
  • Require additional vetting for apps that can download new code at runtime or whose behavior changes after installation.
  • Document mobile application review evidence for audit and compliance readiness rather than relying only on official app-store availability.
  • Prepare IR playbooks for removing risky mobile apps, preserving relevant device/app/network evidence, and communicating policy-based risk decisions.
Analyst notes and limits

The key decision value is mobile trust validation: ZergHelper is useful as an example of riskware that reportedly evaded app-store review, not as evidence of a confirmed malicious campaign. The most relevant relationship supplied is its use of T1407, which should guide detection engineering toward runtime code download behavior and mobile app vetting gaps.

ATT&CK supplies no official detection guidance, no tactics, no explicit platform field for the object, and no aliases. The description states ZergHelper is iOS riskware and that no malicious functionality was identified. Any conclusion about current exposure, exploitation, malicious impact, or detection coverage requires local telemetry and app inventory evidence.

Official MITRE ATT&CK definition

ZergHelper

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1407 Download New Code at Runtime

ZergHelper attempts to extend its capabilities via dynamic updating of its code.CitationXiao-ZergHelper
Relationship explorer

All related ATT&CK context

uses · Technique T1407: Download New Code at Runtime Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1f689a368f37c460...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1f689a368f37…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Xiao-ZergHelper

    Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.

    Open source URL
  2. [2]
    ZergHelper

    (Citation: Xiao-ZergHelper)

  3. [3]
    mitre-attack S0287
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use