August 31, 2015 by

JailBroken Apple Devices Targeted by New Malware

A malware named ‘KeyRaider’ contributes to the world’s largest iCloud hijack and is speculated to affect over 225,000 jailbroken Apple devices.

Modified or jailbroken iOS running Apple devices have been targeted by a sophisticated malware called KeyRaider that stole more than 225,000 Apple accounts in a hijacking spree, reports The Register.

Amateur cybersecurity enthusiasts in China calling themselves WeipTech were notified about multiple reports of Apple users’ accounts being charged due to unauthorized purchases. The team quickly informed security researchers at Palo Alto and discovered that these unauthorized purchases affected jailbroken Apple devices.

Related Article: Two Zero-Day Vulnerabilities Discovered in Apple’s OS X

Upon further research, the researchers found a ‘tweak’ installed in the targeted devices. This modification was gathering user information before uploading it to a remote server.

It was here that the researchers discovered a database containing over 225,000 entries that consisted of encrypted data and plaintext. Plaintext entries included Apple IDs and usernames, passwords and GUIDS.

Claud Xiao of Palo Alto Networks wrote in a blog post explaining the attack, saying:

“By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07″. The encrypted usernames and passwords can be successfully decrypted using this static key.

“They then confirmed that the listed user names were all Apple accounts and validated some of the credentials.”

Significantly, the KeyRaider malware stealing user and device data only affects jailbroken iOS devices. The malware is being distributed through various Cydia repositories on a Chinese Apple fan site, Weiphone.

The threat is estimated to impact users from 18 countries. They include Japan, China, France, Russia, United States, United Kingdom, Canada, Germany, Australia, Israel, Spain, Singapore and South Korea.

“We believe this to be the largest known Apple account theft caused by malware,” wrote Xiao before adding: “KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.”

The malware completes a hijack by disabling the unlock mechanism on iPhones and iPads, both remotely and locally. Multiple reports have surfaced where victims have been forced to submit to ransom demands.

Xiao recommends all affected users with a jailbroken device to change the Apple account password after removing the malware (instructions here). Two-factor verification is also strongly recommended.

Image credit: PixaBay

 

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward