AceDeceiver iOS malware exploits Apple design flaw to infect non-jailbroken devices

Malware developers have found another hole in Apple’s iOS defenses, and this one, according to Palo Alto researchers, will be difficult to plug.

The newly discovered malware family that has been successfully infecting non-jailbroken devices of Chinese users has been dubbed AceDeceiver. And, unlike previous instances of successful iOS malware, it can be installed on target devices without being signed with a valid enterprise certificate.

FairPlay MITM

“AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken,” the researchers noted.

“Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased,” they explained.

“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”

The ‘FairPlay Man-In-The-Middle (MITM)’ technique is not new – pushers of pirated iOS apps have been using it for several years. But, this is the first time that it has been used to deliver malware.

PC software

In this case, the installation has been effected via the Aisi Helper, Windows software that claims to provide services for iOS devices (system re-installation, jailbreaking, system backup, etc.).

Aisi Helper is a popular piece of software that has been around since late 2014, and hasn’t been equipped with malicious functionality until 2015, the researchers found.

“During our investigation in February 2016, all Aisi Helper Windows or iOS clients downloaded from the official website contained the AceDeceiver Trojan,” they shared.

The AceDeceiver Trojan

The AceDeceiver Trojan, three instances of which have been found on Apple’s App Store at different times, used several tricks to evade Apple’s code reviewers. Some of these are the same ones used by the developers of ZergHelper: the malicious apps show different names in different situations (in the various regional App Stores and on iOS devices), and shows their true nature only to users located in China.

In addition to this, the apps were submitted only to some of the local App Stores, minimizing the likelihood of it being spotted by security researchers and Apple code checkers.

“The iOS apps of AceDeceiver mainly act as a third party app store if users access them from China. Note that some of the apps or games they provide in the store are also installed through a FairPlay MITM attack. In addition, these apps strongly suggest users input their Apple ID with password so that users could ‘directly install free apps from the App Store, execute in-app purchase, and login to Game Center’,” the researchers added.

The inputed Apple credentials are stored on the malware’s C&C server.

Remediation

Apple has already removed the three instances of AceDeceiver from its various App Stores, and has revoked older enterprise certificates that have been used to sign versions of AceDeceiver apps.

But, unfortunately, Apple does not have control over the Aisi Helper Windows client, which is still being offered for download, and which can still use the FairPlay MITM attack to install AceDeceiver apps to non-jailbroken iOS devices (the apps themselves don’t have to be located in an App Store for this to happen).

The researchers advise users to uninstall the Aisi Helper’s Windows client or iOS app if they have downloaded and installed them after March 2015, to change their Apple ID passwords, and to check their devices for one of the three AceDeceiver apps and uninstall them. Their bundle identifiers are as follows: aisi.aisiring, aswallpaper.mito, and i4.picture.

But the researchers are worried that other malware authors will try to take advantage of this attack vector in the future.

For one, the attack does not require for malicious apps to be offered for download on Apple’s App Store (it only requires them to have been at one time). Secondly, the attackers don’t need to gain the users’ permission or force them to take action to install the malicious app. In fact, the users are not even asked whether they want to install the iOS client on their devices – the infection “spreads” quietly from the PC (Windows client).