Biggest Apple Account Theft Ever Hits Only JailBroken iOS Devices

KeyRaider stole 225,000 legitimate Apple accounts and slammed devices with ransomware and phony purchases, but only jailbroken gear, mostly in China, is affected.

Sara Peters, Senior Editor

August 31, 2015

4 Min Read

A new family of Apple iOS malware dubbed KeyRaider is slamming jailbroken iOS devices with ransomware, data theft, and fraudulent purchases. It has stolen usernames and passwords for 225,000 Apple accounts already, and researchers at Palo Alto Networks "believe this to be the largest known Apple account theft caused by malware." Thusfar, the threat is limited by the fact that only jailbroken phones are vulnerable and has only been distributed through a China-based public website. 

The KeyRaider attackers have also used the malware to lift 3,000 purchase receipts and created two "tweaks" (apps for jailbroken devices) that use purchasing and account data. The tweaks (iappstore and iappinbuy) allow users to download items from the App Store and make in-app purchases without actually paying for them -- the charges go to a stolen account instead. Those tweaks have been downloaded over 20,000 times.

The KeyRaider malware can also disable both local and remote unlocking functions, and has pilfered over 5,000 certificates and private keys used by Apple push notifications. This allows it to lock devices and send a ransom demand via a notification message without needing to go through Apple's push server.

KeyRaider grabs all this data by intercepting iTunes traffic. As Palo Alto Networks explains:  

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stash of Apple account info was discovered by WeipTech, a group of users of Weiphone, a China-based site for Apple users, that also contains Cydia -- a data repository where people can upload and share the tweaks they develop. WeipTech started looking for something amiss in July, after other Weiphone users began reporting suspicious activity, like abnormal purchasing histories and ransomware.

WeipTech, which also helped discover WireLurker, worked with Palo Alto Networks to investigate further and found 92 samples of this new malware family.

They suspect that the original author of KeyRaider was a Weiphone user who goes by the handle mischa07, because he uploaded the iappstore and iappinbuy tweaks to Cydia and because his username was hard-coded right into the KeyRaider code.

Another major player in the attack campaign was a Weiphone/Cydia user named Bamu. The apps and tweaks he uploaded were very popular, and according to Palo Alto, at least 77 of them installed KeyRaider on victim machines. Researchers attribute 67 percent of the stolen Apple accounts to Bamu.

Users can determine whether their device was infected using WeipTech's query service or manual instructions outlined by Palo Alto Networks here. They also recommend users enable two-factor authentication.

Some security experts dismiss KeyRaider as a low-impact threat.

"The average iPhone user is not affected by this," says Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "It demonstrates the continued use of sensationalism that exists in tech reporting today."

The app was mostly spread through Weiphone, which only has about 5 million users, mostly in China. Although Apple now sells more iOS devices in China than in the United States, and iOS currently claims between 12 and 14 percent of the country's 1.3 billion mobile phones, jailbreaking has decreased in China over the years -- estimated at only about 13.6 percent of iOS devices being jailbroken, as of September 2014.

Others, however, say that this is simply a cautionary tale about jailbreaking your phone.

"Users who do not use a jailbroken device cannot be affected by this issue. While jailbreaking opens up the system to grant more freedom to the end user," says Guillaume Ross, senior consultant of global services at Rapid7. Ross says it "increases the risk of an iOS device being infected with malware, or attacked in other ways."

"Often times, mobile users get frustrated with various limitations that vendors place on their smart devices. Indeed, there are cases where we can all agree that limitations might have gone too far, especially if the 'limitation' is actually done for the vendor’s benefit," says Lane Thames, security research and software development engineer at Tripwire. "However, limitations placed on mobile devices are often done for the benefit of the end user or for the greater good of the overall mobile ecosystem. ... The costs of jailbreaking your smartphone is much, much higher than any potential rewards. At the end of the day, it’s just not smart to jailbreak your smartphone.”

Meanwhile, Adam Ely of Bluebox points out that there are legitimate reasons for wanting more control of your device -- installing patches, removing bloatware, managing app permissions -- and perhaps jailbreaking isn't the real problem.

"We should strive for the ability of allowing users to be free to configure their device however they want yet they are still protected," Ely says. "We should look at these examples as areas for improvement and drive innovation to push security and user experience forward."

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights