Attacks/Breaches

8/31/2015
06:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Apple Account Theft Ever Hits Only JailBroken iOS Devices

KeyRaider stole 225,000 legitimate Apple accounts and slammed devices with ransomware and phony purchases, but only jailbroken gear, mostly in China, is affected.

A new family of Apple iOS malware dubbed KeyRaider is slamming jailbroken iOS devices with ransomware, data theft, and fraudulent purchases. It has stolen usernames and passwords for 225,000 Apple accounts already, and researchers at Palo Alto Networks "believe this to be the largest known Apple account theft caused by malware." Thusfar, the threat is limited by the fact that only jailbroken phones are vulnerable and has only been distributed through a China-based public website. 

The KeyRaider attackers have also used the malware to lift 3,000 purchase receipts and created two "tweaks" (apps for jailbroken devices) that use purchasing and account data. The tweaks (iappstore and iappinbuy) allow users to download items from the App Store and make in-app purchases without actually paying for them -- the charges go to a stolen account instead. Those tweaks have been downloaded over 20,000 times.

The KeyRaider malware can also disable both local and remote unlocking functions, and has pilfered over 5,000 certificates and private keys used by Apple push notifications. This allows it to lock devices and send a ransom demand via a notification message without needing to go through Apple's push server.

KeyRaider grabs all this data by intercepting iTunes traffic. As Palo Alto Networks explains:  

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stash of Apple account info was discovered by WeipTech, a group of users of Weiphone, a China-based site for Apple users, that also contains Cydia -- a data repository where people can upload and share the tweaks they develop. WeipTech started looking for something amiss in July, after other Weiphone users began reporting suspicious activity, like abnormal purchasing histories and ransomware.

WeipTech, which also helped discover WireLurker, worked with Palo Alto Networks to investigate further and found 92 samples of this new malware family.

They suspect that the original author of KeyRaider was a Weiphone user who goes by the handle mischa07, because he uploaded the iappstore and iappinbuy tweaks to Cydia and because his username was hard-coded right into the KeyRaider code.

Another major player in the attack campaign was a Weiphone/Cydia user named Bamu. The apps and tweaks he uploaded were very popular, and according to Palo Alto, at least 77 of them installed KeyRaider on victim machines. Researchers attribute 67 percent of the stolen Apple accounts to Bamu.

Users can determine whether their device was infected using WeipTech's query service or manual instructions outlined by Palo Alto Networks here. They also recommend users enable two-factor authentication.

Some security experts dismiss KeyRaider as a low-impact threat.

"The average iPhone user is not affected by this," says Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "It demonstrates the continued use of sensationalism that exists in tech reporting today."

The app was mostly spread through Weiphone, which only has about 5 million users, mostly in China. Although Apple now sells more iOS devices in China than in the United States, and iOS currently claims between 12 and 14 percent of the country's 1.3 billion mobile phones, jailbreaking has decreased in China over the years -- estimated at only about 13.6 percent of iOS devices being jailbroken, as of September 2014.

Others, however, say that this is simply a cautionary tale about jailbreaking your phone.

"Users who do not use a jailbroken device cannot be affected by this issue. While jailbreaking opens up the system to grant more freedom to the end user," says Guillaume Ross, senior consultant of global services at Rapid7. Ross says it "increases the risk of an iOS device being infected with malware, or attacked in other ways."

"Often times, mobile users get frustrated with various limitations that vendors place on their smart devices. Indeed, there are cases where we can all agree that limitations might have gone too far, especially if the 'limitation' is actually done for the vendor’s benefit," says Lane Thames, security research and software development engineer at Tripwire. "However, limitations placed on mobile devices are often done for the benefit of the end user or for the greater good of the overall mobile ecosystem. ... The costs of jailbreaking your smartphone is much, much higher than any potential rewards. At the end of the day, it’s just not smart to jailbreak your smartphone.”

Meanwhile, Adam Ely of Bluebox points out that there are legitimate reasons for wanting more control of your device -- installing patches, removing bloatware, managing app permissions -- and perhaps jailbreaking isn't the real problem.

"We should strive for the ability of allowing users to be free to configure their device however they want yet they are still protected," Ely says. "We should look at these examples as areas for improvement and drive innovation to push security and user experience forward."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/1/2015 | 11:00:05 AM
The message here is...
The message here is that we need to be careful with our jailbroken devices and stop downloading things from questionable sources, secure our root passwords, change our root passwords, and ultimately, just stop doing stupid things with our devices. Realistically, this kind of thing only happens because the end user is uneducated about the happenings of security. They want the freedom but don't consider the risks associated with it.
seans14760
100%
0%
seans14760,
User Rank: Apprentice
9/1/2015 | 10:25:40 AM
load of crap
This is a problem that exists on any device that runs Linux or Unix if you don't secure root leaving the root users account with the default "alpine" password you are asking for trouble. I have done a lot of development with the dev team for years on jailbreak and it is either people not securing the shell or lack of producing a method like that which was present in the pangu jailbreak to provide a intuitive process to secure the shell for the user. There is also a problem with people downloading packages in cydia from questionable repositories outside the cydia trusted repo list. However though the pangu provided solution of securing your root password, being a good example of a solution to avoid much grief and secure your jailbroken device, I found they were securing my root user account but not informing me what the root user account password was changed to. So to those out there who want to secure your root user account download mobileterminal from cydia and change your root password from the default alpine and don't download any questionable packages from untrusted repos.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...