In a biggest of its kind security incident, as many as 225,000 Apple accounts have been hijacked by the authors of an iOS malware dubbed KeyRaider, security experts have revealed.
The incident was brought to light by an investigation carried out by security experts at Palo Alto Networks in collaboration with an amateur technical group in China called WeipTech. Experts at the two companies unearthed the iOS malware and its mechanism of working providing vital clues about its creator. The attack was first discovered by i_82, a student from Yangzhou University and member of WeipTech.
KeyRaider is capable of infected only jailbroken Apple devices as the security of such devices have already been weakened by the jailbreak patch. Researchers say that during the course of investigation, they identified 92 samples of the new iOS malware family in the wild.
The malware is being distributed through third-party Cydia repositories in China; however, the malware has affected users in a total of 18 countries including France, United Kingdom, United States, Canada, Germany, and Australia, among others.
One of the main reasons why the malware has pull off its dirty tricks is that there is no security mechanism in place for apps that have been downloaded through third-party repositories.
KeyRaider hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. It also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.
According to details provided by the investigation team, KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server.
One of the good things – from the perspective of the security experts investigating the malware – was that the C2 server that the malware author used was itself riddled with vulnerabilities and this allowed the security experts to expose user information that was stolen by the authors. The server had a trivial SQL injection vulnerability that allowed access to all of the records in the database. The malware authors soon realised that something was amiss and shuttered the service before researchers could find out more.
The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.
These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.
The malware has also been reported as being involved in demanding a ransom. By locking the user out of their devices with no means of unlocking the device, victims are asked to contact an ICQ account for the ransom.
WeipTech reverse-engineering the jailbreak tweak, which they found was sending out information to a server. They came across a piece of code that used AES encryption with fixed key of “mischa07”. Further analysis by Palo Alto Networks’ experts revealed that a Weiphone user, named “mischa07”, had uploaded at least 15 KeyRaider samples to his personal repository so far in 2015. Citing this and earlier information about AES encryption with fixed key ‘mischa07’, experts strongly suspect mischa07 is KeyRaider’s original author.
Experts urge that users refrain from jailbreaking their devices as this opens up their devices to possible hacks like KeyRaider.