Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/31/2015
06:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Apple Account Theft Ever Hits Only JailBroken iOS Devices

KeyRaider stole 225,000 legitimate Apple accounts and slammed devices with ransomware and phony purchases, but only jailbroken gear, mostly in China, is affected.

A new family of Apple iOS malware dubbed KeyRaider is slamming jailbroken iOS devices with ransomware, data theft, and fraudulent purchases. It has stolen usernames and passwords for 225,000 Apple accounts already, and researchers at Palo Alto Networks "believe this to be the largest known Apple account theft caused by malware." Thusfar, the threat is limited by the fact that only jailbroken phones are vulnerable and has only been distributed through a China-based public website. 

The KeyRaider attackers have also used the malware to lift 3,000 purchase receipts and created two "tweaks" (apps for jailbroken devices) that use purchasing and account data. The tweaks (iappstore and iappinbuy) allow users to download items from the App Store and make in-app purchases without actually paying for them -- the charges go to a stolen account instead. Those tweaks have been downloaded over 20,000 times.

The KeyRaider malware can also disable both local and remote unlocking functions, and has pilfered over 5,000 certificates and private keys used by Apple push notifications. This allows it to lock devices and send a ransom demand via a notification message without needing to go through Apple's push server.

KeyRaider grabs all this data by intercepting iTunes traffic. As Palo Alto Networks explains:  

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stash of Apple account info was discovered by WeipTech, a group of users of Weiphone, a China-based site for Apple users, that also contains Cydia -- a data repository where people can upload and share the tweaks they develop. WeipTech started looking for something amiss in July, after other Weiphone users began reporting suspicious activity, like abnormal purchasing histories and ransomware.

WeipTech, which also helped discover WireLurker, worked with Palo Alto Networks to investigate further and found 92 samples of this new malware family.

They suspect that the original author of KeyRaider was a Weiphone user who goes by the handle mischa07, because he uploaded the iappstore and iappinbuy tweaks to Cydia and because his username was hard-coded right into the KeyRaider code.

Another major player in the attack campaign was a Weiphone/Cydia user named Bamu. The apps and tweaks he uploaded were very popular, and according to Palo Alto, at least 77 of them installed KeyRaider on victim machines. Researchers attribute 67 percent of the stolen Apple accounts to Bamu.

Users can determine whether their device was infected using WeipTech's query service or manual instructions outlined by Palo Alto Networks here. They also recommend users enable two-factor authentication.

Some security experts dismiss KeyRaider as a low-impact threat.

"The average iPhone user is not affected by this," says Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "It demonstrates the continued use of sensationalism that exists in tech reporting today."

The app was mostly spread through Weiphone, which only has about 5 million users, mostly in China. Although Apple now sells more iOS devices in China than in the United States, and iOS currently claims between 12 and 14 percent of the country's 1.3 billion mobile phones, jailbreaking has decreased in China over the years -- estimated at only about 13.6 percent of iOS devices being jailbroken, as of September 2014.

Others, however, say that this is simply a cautionary tale about jailbreaking your phone.

"Users who do not use a jailbroken device cannot be affected by this issue. While jailbreaking opens up the system to grant more freedom to the end user," says Guillaume Ross, senior consultant of global services at Rapid7. Ross says it "increases the risk of an iOS device being infected with malware, or attacked in other ways."

"Often times, mobile users get frustrated with various limitations that vendors place on their smart devices. Indeed, there are cases where we can all agree that limitations might have gone too far, especially if the 'limitation' is actually done for the vendor’s benefit," says Lane Thames, security research and software development engineer at Tripwire. "However, limitations placed on mobile devices are often done for the benefit of the end user or for the greater good of the overall mobile ecosystem. ... The costs of jailbreaking your smartphone is much, much higher than any potential rewards. At the end of the day, it’s just not smart to jailbreak your smartphone.”

Meanwhile, Adam Ely of Bluebox points out that there are legitimate reasons for wanting more control of your device -- installing patches, removing bloatware, managing app permissions -- and perhaps jailbreaking isn't the real problem.

"We should strive for the ability of allowing users to be free to configure their device however they want yet they are still protected," Ely says. "We should look at these examples as areas for improvement and drive innovation to push security and user experience forward."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/1/2015 | 11:00:05 AM
The message here is...
The message here is that we need to be careful with our jailbroken devices and stop downloading things from questionable sources, secure our root passwords, change our root passwords, and ultimately, just stop doing stupid things with our devices. Realistically, this kind of thing only happens because the end user is uneducated about the happenings of security. They want the freedom but don't consider the risks associated with it.
seans14760
100%
0%
seans14760,
User Rank: Apprentice
9/1/2015 | 10:25:40 AM
load of crap
This is a problem that exists on any device that runs Linux or Unix if you don't secure root leaving the root users account with the default "alpine" password you are asking for trouble. I have done a lot of development with the dev team for years on jailbreak and it is either people not securing the shell or lack of producing a method like that which was present in the pangu jailbreak to provide a intuitive process to secure the shell for the user. There is also a problem with people downloading packages in cydia from questionable repositories outside the cydia trusted repo list. However though the pangu provided solution of securing your root password, being a good example of a solution to avoid much grief and secure your jailbroken device, I found they were securing my root user account but not informing me what the root user account password was changed to. So to those out there who want to secure your root user account download mobileterminal from cydia and change your root password from the default alpine and don't download any questionable packages from untrusted repos.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.