A new iOS malware family being used to infect jailbroken iPhones and iPads has already successfully stolen more than 225,000 valid Apple accounts, but it does not stop there – the compromised credentials are being actively abused as part of another seemingly related threat, and the malware also enables ransom attacks.
The malware is being referred to as "KeyRaider," and researchers with Palo Alto Networks said in a Sunday post that they have only observed the threat being distributed through China-based Weiphone's Cydia repositories for jailbroken iOS devices.
“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device,” the post said. “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”
Altogether Palo Alto Networks identified 92 samples of KeyRaider, 15 of which were uploaded by a Weiphone user named “mischa07” who is believed to be the author due to the username being hardcoded into the malware as the encryption and decryption key.
That user is responsible for uploading a number of jailbreak tweaks, or software packages that enable actions not traditionally achievable on iOS. Two tweaks in particular are named “iappstore” and “iappinbuy,” which allow users to obtain paid apps and in-app-purchases for free and together have more than 20,000 downloads.
As it turns out, the Apple account information being stolen by KeyRaider is actually what enables the two tweaks to work.
“These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the [command-and-control] server [used by KeyRaider], then emulate the iTunes protocol to log in to Apple's server and purchase apps or other items requested by users,” the post said.
KeyRaider does not just steal data – the ability to disable local and remote unlocking functionalities, even if the correct passcode or password is used, enables threat actors to carry out ransom attacks, the post noted. Furthermore, the attacker can send a ransom message by using the stolen certificate and private key, and without going through Apple's push server.
KeyRaider is unique in that it holds devices captive in a way that is different from previous iOS ransom attacks. In a Monday email correspondence with SCMagazine.com, Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks, explained the best way for a user to recover their device should they become a victim.
He said that “if they have OpenSSH already installed on the device, log in and delete the malware using the instructions in the blog. If they don't already have OpenSSH installed, it's going to be much more challenging to get around this particular ransomware. The standard Apple password reset and rescue are not going to function properly with this attack.”
Olson – who indicated that the attack appears to have begun sometime in late 2014 – explained that jailbreaking iOS devices removes much of the protections that Apple has put into place to prevent these types of threats.
“Once those are gone, the responsibility is really on the user to avoid getting infected,” Olson said. “Don't install pirated software and only install software from sources you trust. Even then, your device is at risk so you should avoid using it for sensitive transactions like online banking.”
Palo Alto Networks credited a member of the Weiphone Tech Team with identifying the attack, and explained in the post that Weiphone Tech Team began investigating in July after hearing reports that Apple accounts were being used to make unauthorized purchases. Palo Alto Networks also noted in the post that one user claimed to have their phone held for ransom.
So far the threat appears to have impacted users primarily in China, but also in the U.S., the U.K., France, Russia, Japan, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.