KeyRaider malware targets jailbroken iOS devices

In cooperation with WeipTech, a technical group consisting of users from Weiphone, Palo Alto Networks, the security company, has identified 92 samples of a new iOS malware family in the wild.

WeipTech had previously found over 225,000 valid Apple accounts with passwords stored in on a server in the course of analysing suspicious iOS tweaks reported by users. The identified samples were analysed to determine the author's ultimate goal and as far as Palo Alto Networks knows, this is the largest Apple account theft caused by malware.

The malware, named KeyRaider, targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China. In total, it appears this threat may have impacted users from 18 countries including China, Singapore, Japan, South Korea, and Australia.

The malware steals Apple account usernames, passwords and the device Globally Unique Identifier (GUID) by intercepting iTunes traffic on the device. It also steals Apple push notification service certificates and private keys, shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The data is used by users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. According to Palo Alto Networks, jailbreak tweaks are software that allow users to perform actions that aren’t typically possible on iOS. The company notes that the tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.

Source: Palo Alto Networks blog.
Phone held for ransom.

Palo Alto Networks and WeipTech have provided services to detect the KeyRaider malware and identify stolen credentials. 

WeipTech has provided a query service in their website for potential victims to query whether their Apple accounts have been stolen. 

Palo Alto Networks has released DNS signatures to prevent the malware from relaying credentials in protected networks. The company also suggests that all affected users change their Apple account password after removing the malware, and that they enable two-factor verification for Apple IDs.

Interested?

The Palo Alto Networks blog post lists a method to check if an iOS device is infected (search for the phrase 'protection and prevention')