New iOS malware strain steals 225,000 Apple logons
‘KeyRaider’ responsible for ‘largest known Apple account theft caused by malware’, say researchers
Some 225,000 stolen Apple accounts credentials are being used to bypass payment walls on the App Store and inside third-party iOS apps, according to Palo Alto Networks' Unit 42 threat assessment division.
The credentials were found on a server by amateur Chinese tech team WeipTech, Unit 42 said in a blog post yesterday. Palo Alto's team began its own investigation, in co-operation with WeipTech.
"We believe this to be the largest known Apple account theft caused by malware," Unit 42 said.
The strain of malicious code responsible for stealing the credentials has been named "KeyRaider" by Palo Alto's researchers and the team said it had found 92 samples in the wild, all on jailbroken devices.
Most of the victims are based in China, with around half using email addresses provided by Tencent. But the iOS malware also affected users in France, Russia, Japan, the UK, the US, Canada, Germany, Australia, Italy, Spain, Singapore, and South Korea.
"KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China," Unit 42 reported. "In total, it appears this threat may have impacted users from 18 countries."
Continues on next page>>
No Middle East countries were on Palo Alto's list of affected territories.
"The malware hooks system processes through MobileSubstrate [an iOS monitoring system that regulates third-party software], and steals Apple account usernames, passwords and device GUIDs by intercepting iTunes traffic on the device."
KeyRaider also steals Apple push-notification service certificates and private keys; steals and shares App Store purchasing information; and disables local and remote unlocking functionalities on iPhones and iPads, according to Unit 42.
The research team said, "KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command-and-control server, which itself contains vulnerabilities that expose user information."
The purpose behind the attack, according to Unit 42, was to allow users of two iOS jailbreak tweaks to download apps from the App Store and make in-app purchases without paying. The tweaks hijack app purchase requests, download stolen accounts or purchase receipts from the C&C server, then spoof the iTunes protocol to "log in to Apple's server and purchase apps or other items requested by users".
"The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials," Unit 42 said.