Data-robbing malicious software dubbed “KeyRaider” has stolen more than 225,000 valid Apple accounts and thousands of certificates, private keys and purchasing receipts, Palo Alto Networks’ Unit 42 reported last week.
The firm identified the malware in cooperation with WeipTech, which found the accounts on a server while it was analyzing suspicious user-reported iOS tweaks.
KeyRaider targets Apple iPhones modified by their owners — that is, jailbroken — to accept third-party applications.
Cydia repositories, which contain apps designed to run on jailbroken iPhones, distributed the pernicious program, according to Palo Alto Networks. The threat appears to have impacted users from 18 countries, including China, Russia, Japan, the UK, the U.S., Canada and South Korea.
Palo Alto Networks informed Apple about the compromised credentials before making its findings public, said Ryan Olson, intelligence director of Unit 42.
“It was able to take action on them before we announced that the compromise had occurred,” he told TechNewsWorld.
Apple did not respond to our request to comment for this story.
Free Apps for Thieves
Apple’s intervention alone won’t protect owners of the infected phones, however.
“Apple can’t remove the infection from the phones because they’re jailbroken,” Olson told TechNewsWorld. That means if an owner doesn’t remove the infection from a phone, new credentials will just be stolen again.
KeyRaider hooks into the operating system layer of an iPhone and steals Apple account usernames, passwords and device global unique identifiers by intercepting iTunes traffic on the device, Unit 42 explained. It also steals Apple push notification service certificates and private keys, robs and shares App Store purchasing information, and disables local and remote unlocking functions on iPhones and iPads.
The purpose of the attack is to allow users of two iOS jailbreak tweaks to download applications from the App Store and make purchases through those apps without paying.
“Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom,” Unit 42 researcher Claud Xiao reported.
Ecosystem Safe
The tweaks have been downloaded “over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials,” Xiao noted.
Whoever is behind the attack doesn’t seem to be aiming to turn a profit.
“They seem to just want to allow a bunch of people to get free apps at someone else’s expense, but not necessarily give them any big personal gain,” Olson said.
That could change, however. “It’s certainly possible that they may have future intentions to do something more malicious,” he observed. “Apple IDs can be used to access iCloud, where people have all sorts of information.”
This latest attack on modified iPhones won’t have much impact on Apple’s ecosystem as a whole, maintained Tim Erlin, director of IT security and risk strategy at Tripwire.
“KeyRaider targets jailbroken phones — phones that have already separated themselves from the Apple ecosystem,” he told TechNewsWorld. “Anyone who has an Apple phone and hasn’t jailbroken it is not generally at risk from this malware.”
Perils of Jailbreaking
Palo Alto Networks has provided the following instructions for finding and removing the infection on a jailbroken phone:”1. Install openssh server through Cydia 2. Connect to the device through SSH 3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all filesunder this directory:
- wushidou
- gotoip4
- bamu
- getHanzi
“If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.”We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.”Enabling two-factor authentication for app purchases through Apple will prevent KeyRaider tweakers from making unauthorized purchases with purloined credentials — and that applies even to owners of jailbroken phones.
Of course, the safest course for any user is not to jailbreak a phone in the first place.
“You’re putting your phone at a lot of risk if you jailbreak your phone and start using these third-party repositories,” Olson said.
“Jailbreaking sounds like you’re breaking out of a cage,” added Jonathan Sander, vice president for product strategy at Lieberman Software.
“That’s absolutely right, but the cage is there to protect you,” he told TechNewsWorld. “Without the cage, you allow yourself to get out — but you also invite everyone else to get in.”