AceDeceiver installs itself without any enterprise certificate at all by exploiting design flaws in Apple’s digital rights management (DRM) mechanism, the company said, further warning that even though Apple has removed AceDeceiver from the App Store, it could still spread because of 'a novel attack vector'.
The technique, called FairPlay Man-In-The-Middle (MITM), has been used since 2013 to spread pirated iOS apps, but this is the first time Palo Alto Networks has seen it used to spread malware. Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps. These apps successfully bypassed Apple’s code review at least seven times (including the first time each was uploaded and then four rounds of code updates, which require an additional review by Apple for each instance) using a method similar to that used by ZergHelper, where the app tailors its behaviour based on the physical region in which it is being executed.
 |
| Source: Palo Alto Networks. How the malware works. |
The technique, called FairPlay Man-In-The-Middle (MITM), has been used since 2013 to spread pirated iOS apps, but this is the first time Palo Alto Networks has seen it used to spread malware. Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps. These apps successfully bypassed Apple’s code review at least seven times (including the first time each was uploaded and then four rounds of code updates, which require an additional review by Apple for each instance) using a method similar to that used by ZergHelper, where the app tailors its behaviour based on the physical region in which it is being executed.
At present AceDeceiver only displays malicious behaviours when a user is located in China, but this specificity can easily be changed. Apple removed the apps from the App Store after Palo Alto Networks reported them in late February 2016. However, the attack is still viable because FairPlay MITM can spread apps so long as they used to be available in the App Store.
To carry out the attack, the author created a Windows client called "爱思助手 (Aisi Zhushou, or 'assistant that loves to think', or literally 'Ace Assistant')” to perform the FairPlay MITM attack. The assistant purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning. But it is also surreptitiously installing the malicious apps on any iOS device that is connected to the PC on which it is installed. These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver’s C2 server after being encrypted. We also identified some earlier versions of AceDeceiver that had enterprise certificates dated March 2015.
No comments:
Post a Comment