August 31, 2015 by

JailBroken Apple Devices Targeted by New Malware

A malware named ‘KeyRaider’ contributes to the world’s largest iCloud hijack and is speculated to affect over 225,000 jailbroken Apple devices.

Modified or jailbroken iOS running Apple devices have been targeted by a sophisticated malware called KeyRaider that stole more than 225,000 Apple accounts in a hijacking spree, reports The Register.

Amateur cybersecurity enthusiasts in China calling themselves WeipTech were notified about multiple reports of Apple users’ accounts being charged due to unauthorized purchases. The team quickly informed security researchers at Palo Alto and discovered that these unauthorized purchases affected jailbroken Apple devices.

Related Article: Two Zero-Day Vulnerabilities Discovered in Apple’s OS X

Upon further research, the researchers found a ‘tweak’ installed in the targeted devices. This modification was gathering user information before uploading it to a remote server.

It was here that the researchers discovered a database containing over 225,000 entries that consisted of encrypted data and plaintext. Plaintext entries included Apple IDs and usernames, passwords and GUIDS.

Claud Xiao of Palo Alto Networks wrote in a blog post explaining the attack, saying:

“By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07″. The encrypted usernames and passwords can be successfully decrypted using this static key.

“They then confirmed that the listed user names were all Apple accounts and validated some of the credentials.”

Significantly, the KeyRaider malware stealing user and device data only affects jailbroken iOS devices. The malware is being distributed through various Cydia repositories on a Chinese Apple fan site, Weiphone.

The threat is estimated to impact users from 18 countries. They include Japan, China, France, Russia, United States, United Kingdom, Canada, Germany, Australia, Israel, Spain, Singapore and South Korea.

“We believe this to be the largest known Apple account theft caused by malware,” wrote Xiao before adding: “KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.”

The malware completes a hijack by disabling the unlock mechanism on iPhones and iPads, both remotely and locally. Multiple reports have surfaced where victims have been forced to submit to ransom demands.

Xiao recommends all affected users with a jailbroken device to change the Apple account password after removing the malware (instructions here). Two-factor verification is also strongly recommended.

Image credit: PixaBay


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake SWIFT Service Emails Delivers Adwind Remote Access Trojan

An email phishing campaign has attempted to infect unsuspecting victims with the Adwind...

Read more arrow_forward

Tesla’s Cloud Account Hacked to Mine Cryptocurrency

Tesla’s cloud environment has been exploited by hackers who used the computational power to mine...

Read more arrow_forward

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward