Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/31/2015
06:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Apple Account Theft Ever Hits Only JailBroken iOS Devices

KeyRaider stole 225,000 legitimate Apple accounts and slammed devices with ransomware and phony purchases, but only jailbroken gear, mostly in China, is affected.

A new family of Apple iOS malware dubbed KeyRaider is slamming jailbroken iOS devices with ransomware, data theft, and fraudulent purchases. It has stolen usernames and passwords for 225,000 Apple accounts already, and researchers at Palo Alto Networks "believe this to be the largest known Apple account theft caused by malware." Thusfar, the threat is limited by the fact that only jailbroken phones are vulnerable and has only been distributed through a China-based public website. 

The KeyRaider attackers have also used the malware to lift 3,000 purchase receipts and created two "tweaks" (apps for jailbroken devices) that use purchasing and account data. The tweaks (iappstore and iappinbuy) allow users to download items from the App Store and make in-app purchases without actually paying for them -- the charges go to a stolen account instead. Those tweaks have been downloaded over 20,000 times.

The KeyRaider malware can also disable both local and remote unlocking functions, and has pilfered over 5,000 certificates and private keys used by Apple push notifications. This allows it to lock devices and send a ransom demand via a notification message without needing to go through Apple's push server.

KeyRaider grabs all this data by intercepting iTunes traffic. As Palo Alto Networks explains:  

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stash of Apple account info was discovered by WeipTech, a group of users of Weiphone, a China-based site for Apple users, that also contains Cydia -- a data repository where people can upload and share the tweaks they develop. WeipTech started looking for something amiss in July, after other Weiphone users began reporting suspicious activity, like abnormal purchasing histories and ransomware.

WeipTech, which also helped discover WireLurker, worked with Palo Alto Networks to investigate further and found 92 samples of this new malware family.

They suspect that the original author of KeyRaider was a Weiphone user who goes by the handle mischa07, because he uploaded the iappstore and iappinbuy tweaks to Cydia and because his username was hard-coded right into the KeyRaider code.

Another major player in the attack campaign was a Weiphone/Cydia user named Bamu. The apps and tweaks he uploaded were very popular, and according to Palo Alto, at least 77 of them installed KeyRaider on victim machines. Researchers attribute 67 percent of the stolen Apple accounts to Bamu.

Users can determine whether their device was infected using WeipTech's query service or manual instructions outlined by Palo Alto Networks here. They also recommend users enable two-factor authentication.

Some security experts dismiss KeyRaider as a low-impact threat.

"The average iPhone user is not affected by this," says Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "It demonstrates the continued use of sensationalism that exists in tech reporting today."

The app was mostly spread through Weiphone, which only has about 5 million users, mostly in China. Although Apple now sells more iOS devices in China than in the United States, and iOS currently claims between 12 and 14 percent of the country's 1.3 billion mobile phones, jailbreaking has decreased in China over the years -- estimated at only about 13.6 percent of iOS devices being jailbroken, as of September 2014.

Others, however, say that this is simply a cautionary tale about jailbreaking your phone.

"Users who do not use a jailbroken device cannot be affected by this issue. While jailbreaking opens up the system to grant more freedom to the end user," says Guillaume Ross, senior consultant of global services at Rapid7. Ross says it "increases the risk of an iOS device being infected with malware, or attacked in other ways."

"Often times, mobile users get frustrated with various limitations that vendors place on their smart devices. Indeed, there are cases where we can all agree that limitations might have gone too far, especially if the 'limitation' is actually done for the vendor’s benefit," says Lane Thames, security research and software development engineer at Tripwire. "However, limitations placed on mobile devices are often done for the benefit of the end user or for the greater good of the overall mobile ecosystem. ... The costs of jailbreaking your smartphone is much, much higher than any potential rewards. At the end of the day, it’s just not smart to jailbreak your smartphone.”

Meanwhile, Adam Ely of Bluebox points out that there are legitimate reasons for wanting more control of your device -- installing patches, removing bloatware, managing app permissions -- and perhaps jailbreaking isn't the real problem.

"We should strive for the ability of allowing users to be free to configure their device however they want yet they are still protected," Ely says. "We should look at these examples as areas for improvement and drive innovation to push security and user experience forward."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/1/2015 | 11:00:05 AM
The message here is...
The message here is that we need to be careful with our jailbroken devices and stop downloading things from questionable sources, secure our root passwords, change our root passwords, and ultimately, just stop doing stupid things with our devices. Realistically, this kind of thing only happens because the end user is uneducated about the happenings of security. They want the freedom but don't consider the risks associated with it.
seans14760
100%
0%
seans14760,
User Rank: Apprentice
9/1/2015 | 10:25:40 AM
load of crap
This is a problem that exists on any device that runs Linux or Unix if you don't secure root leaving the root users account with the default "alpine" password you are asking for trouble. I have done a lot of development with the dev team for years on jailbreak and it is either people not securing the shell or lack of producing a method like that which was present in the pangu jailbreak to provide a intuitive process to secure the shell for the user. There is also a problem with people downloading packages in cydia from questionable repositories outside the cydia trusted repo list. However though the pangu provided solution of securing your root password, being a good example of a solution to avoid much grief and secure your jailbroken device, I found they were securing my root user account but not informing me what the root user account password was changed to. So to those out there who want to secure your root user account download mobileterminal from cydia and change your root password from the default alpine and don't download any questionable packages from untrusted repos.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12960
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d.
CVE-2019-12961
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function.
CVE-2019-12962
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
CVE-2019-12963
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the chat.php Create Ticket Action.
CVE-2019-12964
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php Subject.