225K+ Apple accounts stolen from jailbroken devices: Palo Alto Networks

• ‘Largest known Apple account theft caused by malware’
• Steals info by intercepting iTunes traffic on the device

US security specialist Palo Alto Networks said it has, in cooperation with China-based amateur technical group WeipTech, identified 92 samples of a new iOS malware family in the wild which has stolen Apple user accounts from jailbroken devices.
 
WeipTech was analysing suspicious Apple iOS tweaks reported by users and found over 225,000 valid Apple accounts with passwords stored on a server.
 
Palo Alto Networks analysed the samples to determine the author’s ultimate goal and has named the malware ‘KeyRaider.’
 
“We believe this to be the largest known Apple account theft caused by malware,” Palo Alto Networks security researcher Claud Xiao wrote in a blog post.
 
Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.
 
KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China, Xiao wrote.
 
In total, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan, the United Kingdom, the United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.
 
“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID (globally unique identifiers) by intercepting iTunes traffic on the device.
 
“KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads,” Xiao wrote.
 
“KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C&C) server, which itself contains vulnerabilities that expose user information.
 
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” he added.
 
Apple repeatedly advises users against jailbreaking their devices, saying the limitations it puts on its products are to protect users.
 
But users have been jailbreaking their devices since the introduction of the first iPhone, with many users and app developers accusing Apple of being inconsistent and capricious in how it determines what to limit.
 
Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS, Palo Alto Networks’ Xiao noted in his blog post.
 
“These two [KeyRaider] tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C&C server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users.
 
“The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials,” he added.
 
Protection and prevention
 
Palo Alto Networks reiterated that KeyRaider only affects jailbroken iOS devices.
 
WeipTech has provided a query service in on its website for potential victims to query whether their Apple accounts was stolen.
 
Palo Alto Networks said it provided the stolen account information to Apple on Aug 26, but noted that WeipTech was only able to recover around half of stolen accounts before the attacker fixed the vulnerability.
 
Users who have ever installed apps or tweaks from untrusted Cydia sources could also be affected, according to Xiao.
 
“Palo Alto Networks has released DNS signatures to cover KeyRaider’s C&C traffic to prevent the malware from relaying credentials in protected networks,” he said.
 
Users can use the following method to determine by themselves whether their iOS devices have been infected:

1. Install openssh server through Cydia
2. Connect to the device through SSH
3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:

• wushidou
• gotoip4
• bamu
• getHanzi

“If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device,” Xiao said.
 
“We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.
 
“Our primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your iPhone or iPad if you can avoid it,” he added.
 
Related Stories:
 
Palo Alto Networks report on ‘unprecedented’ iOS and OS X malware
 
Are Apple developers on the hacker hit list?
 
If it wants to, Apple can read your iMessages: Quarkslab
 
‘Apple has its head in the sand’
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.