Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:55 PM
Connect Directly

Biggest Apple Account Theft Ever Hits Only JailBroken iOS Devices

KeyRaider stole 225,000 legitimate Apple accounts and slammed devices with ransomware and phony purchases, but only jailbroken gear, mostly in China, is affected.

A new family of Apple iOS malware dubbed KeyRaider is slamming jailbroken iOS devices with ransomware, data theft, and fraudulent purchases. It has stolen usernames and passwords for 225,000 Apple accounts already, and researchers at Palo Alto Networks "believe this to be the largest known Apple account theft caused by malware." Thusfar, the threat is limited by the fact that only jailbroken phones are vulnerable and has only been distributed through a China-based public website. 

The KeyRaider attackers have also used the malware to lift 3,000 purchase receipts and created two "tweaks" (apps for jailbroken devices) that use purchasing and account data. The tweaks (iappstore and iappinbuy) allow users to download items from the App Store and make in-app purchases without actually paying for them -- the charges go to a stolen account instead. Those tweaks have been downloaded over 20,000 times.

The KeyRaider malware can also disable both local and remote unlocking functions, and has pilfered over 5,000 certificates and private keys used by Apple push notifications. This allows it to lock devices and send a ransom demand via a notification message without needing to go through Apple's push server.

KeyRaider grabs all this data by intercepting iTunes traffic. As Palo Alto Networks explains:  

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stash of Apple account info was discovered by WeipTech, a group of users of Weiphone, a China-based site for Apple users, that also contains Cydia -- a data repository where people can upload and share the tweaks they develop. WeipTech started looking for something amiss in July, after other Weiphone users began reporting suspicious activity, like abnormal purchasing histories and ransomware.

WeipTech, which also helped discover WireLurker, worked with Palo Alto Networks to investigate further and found 92 samples of this new malware family.

They suspect that the original author of KeyRaider was a Weiphone user who goes by the handle mischa07, because he uploaded the iappstore and iappinbuy tweaks to Cydia and because his username was hard-coded right into the KeyRaider code.

Another major player in the attack campaign was a Weiphone/Cydia user named Bamu. The apps and tweaks he uploaded were very popular, and according to Palo Alto, at least 77 of them installed KeyRaider on victim machines. Researchers attribute 67 percent of the stolen Apple accounts to Bamu.

Users can determine whether their device was infected using WeipTech's query service or manual instructions outlined by Palo Alto Networks here. They also recommend users enable two-factor authentication.

Some security experts dismiss KeyRaider as a low-impact threat.

"The average iPhone user is not affected by this," says Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "It demonstrates the continued use of sensationalism that exists in tech reporting today."

The app was mostly spread through Weiphone, which only has about 5 million users, mostly in China. Although Apple now sells more iOS devices in China than in the United States, and iOS currently claims between 12 and 14 percent of the country's 1.3 billion mobile phones, jailbreaking has decreased in China over the years -- estimated at only about 13.6 percent of iOS devices being jailbroken, as of September 2014.

Others, however, say that this is simply a cautionary tale about jailbreaking your phone.

"Users who do not use a jailbroken device cannot be affected by this issue. While jailbreaking opens up the system to grant more freedom to the end user," says Guillaume Ross, senior consultant of global services at Rapid7. Ross says it "increases the risk of an iOS device being infected with malware, or attacked in other ways."

"Often times, mobile users get frustrated with various limitations that vendors place on their smart devices. Indeed, there are cases where we can all agree that limitations might have gone too far, especially if the 'limitation' is actually done for the vendor’s benefit," says Lane Thames, security research and software development engineer at Tripwire. "However, limitations placed on mobile devices are often done for the benefit of the end user or for the greater good of the overall mobile ecosystem. ... The costs of jailbreaking your smartphone is much, much higher than any potential rewards. At the end of the day, it’s just not smart to jailbreak your smartphone.”

Meanwhile, Adam Ely of Bluebox points out that there are legitimate reasons for wanting more control of your device -- installing patches, removing bloatware, managing app permissions -- and perhaps jailbreaking isn't the real problem.

"We should strive for the ability of allowing users to be free to configure their device however they want yet they are still protected," Ely says. "We should look at these examples as areas for improvement and drive innovation to push security and user experience forward."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
9/1/2015 | 10:25:40 AM
load of crap
This is a problem that exists on any device that runs Linux or Unix if you don't secure root leaving the root users account with the default "alpine" password you are asking for trouble. I have done a lot of development with the dev team for years on jailbreak and it is either people not securing the shell or lack of producing a method like that which was present in the pangu jailbreak to provide a intuitive process to secure the shell for the user. There is also a problem with people downloading packages in cydia from questionable repositories outside the cydia trusted repo list. However though the pangu provided solution of securing your root password, being a good example of a solution to avoid much grief and secure your jailbroken device, I found they were securing my root user account but not informing me what the root user account password was changed to. So to those out there who want to secure your root user account download mobileterminal from cydia and change your root password from the default alpine and don't download any questionable packages from untrusted repos.
User Rank: Moderator
9/1/2015 | 11:00:05 AM
The message here is...
The message here is that we need to be careful with our jailbroken devices and stop downloading things from questionable sources, secure our root passwords, change our root passwords, and ultimately, just stop doing stupid things with our devices. Realistically, this kind of thing only happens because the end user is uneducated about the happenings of security. They want the freedom but don't consider the risks associated with it.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...