Palo Alto Networks has identified a new iOS malware family dubbed ‘KeyRaider’ which has stolen over 225,000 valid Apple accounts with passwords from jailbroken devices. With help from WeipTech, the company found 92 samples of malware responsible for may be the largest theft of Apple accounts caused by malware.
KeyRaider is distributed through third-party Cydia repositories, primarily in China. It hooks system processes through MobileSubstrate and steals Apple account usernames, passwords and device GUIDs by intercepting iTunes traffic. It also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.
The stolen data is uploaded to a command and control server and used by two jailbreak tweaks (iappstore and iappinbuy) to facilitate free App Store purchases.
These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.
Due to a vulnerability in the command and control server, researchers were able to download about half the accounts before their presence was detected and blocked. To check if your account is on the partial list of compromised accounts, click here.
A better method to check if your device is compromised involves searching for strings on your device:
1. Install openssh server through Cydia
2. Connect to the device through SSH
3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
● wushidou
● gotoip4
● bamu
● getHanzi
If any dylib file contains any one of these strings, Palo Alto Networks urges users to delete it and delete the plist file with the same filename, then reboot the device. It’s also recommended that all affected users change their Apple account password after removing the malware, and enable two-factor verifications for their Apple IDs.
To make matters worse, KeyRaider has the ability to hold your device and account at ransom.
Some previous iPhone ransomware attacks are based on remotely controlling the iOS device through the iCloud service. Some of these attacks can be avoided by resetting the account password to regain control of iCloud. KeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.
More details on how the malware works can be found at the link below. As usual we recommend you only install tweaks from trusted sources or default repositories.
