“Researchers from Palo Alto Networks and China-based WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised.
The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese – the malware is distributed through third-party Cydia repositories in China – but users in other countries have also been affected (European countries, the US, Australian, South Korea, and so on).
“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device,” Palo Alto researcher Claud Xiao explained. “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”
The stolen information is stored on a C&C server that the researchers have managed to access. It’s used by users of two iOS jailbreak tweaks (iappstore and iappinbuy) to download apps from Apple’s App Store and to perform in-app purchases – all for free.
According to the researchers, these two tweaks are being used by some 20,000 users, and the author of both is an individual that goes by the online handle Mischa07. Still, he/she isn’t the only one that distributes it – other developers habe incorporated the malicious code in existing apps and tweaks.
“In addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices for ransom,” the researchers noted, adding that there have been instances of it being used to hold a phone for ransom.
But the greatest danger for users lays in the fact that their compromised iCloud accounts can lead to the compromise of all their private and sensitive information stored in them (messages, photos, emails, etc.).
Apple has been informed of the matter, and has been given the stolen account information – hopefully they are contacting affected users to let them know they should change their passwords and purge their devices, but who knows? The company isn’t a fan of jailbreaking.
Palo Alto has provided more details about the malware as well as instructions on how to get rid of it in this blog post.”