Endpoint Protection

 View Only

Jailbreak iOS Trojan KeyRaider used as part of free apps scam 

Aug 31, 2015 10:50 AM

iphone-malware-header_0.png

A new malware family has been discovered that is reportedly responsible for the theft of 225,000 Apple account credentials, as well as a host of other sensitive data. The malware, dubbed KeyRaider, targets jailbroken iOS devices and is distributed through third-party app stores that specialize in software for jailbroken devices. The stolen Apple IDs are being used to provide “free” apps and in-app purchases for other users. The malware is mainly impacting users in China.

Raiders of the lost accounts
The KeyRaider malware was uncovered after users of popular iPhone community Weiphone began reporting unexpected purchases being made using their Apple accounts.

KeyRaider is distributed as repackaged apps. Once on the jailbroken device, the malware intercepts iTunes traffic and steals the user’s account login credentials, device GUID, Apple push notification service certificates and private keys, and iTunes purchase receipts. The stolen information is sent to a remote server.

After investigating the suspicious account activity reported by users, researchers discovered the malware as well as two related jailbreak tweaks. Jailbreak tweaks are programs that allow users with jailbroken devices to perform actions that are usually not possible with un-jailbroken devices. The two suspicious tweaks, named iappstore and iappinbuy, were advertised as software packages that allowed users to download paid apps and in-app purchases for free.

Researchers found over 225,000 entries stored on the remote server where KeyRaider sends compromised credentials to. When users who installed the iappstore and iappinbuy jailbreak tweaks download a non-free app in the App Store, the software connects to the remote server and uses stolen credentials to complete the purchase, meaning the owner of the stolen credentials ends up being billed. This is how unsuspecting owners of stolen Apple accounts are seeing unusual charges appearing on their accounts.

A problem only in China?
It was also reported that a majority of the email addresses associated with the compromised Apple accounts were from Chinese users. However, other email addresses linked to other countries, such as France, Russia, Japan, the United Kingdom, the United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea, were also found. These addresses could belong to Chinese users who are based in other countries.

A possible reason why China is disproportionately affected by this problem is highlighted by a huge appetite for third-party app stores among Chinese owners of iOS devices. iOS users can only download software from third-party app stores after they jailbreak their device. The problem is, once you point your device to other murkier corners of the internet to download apps, you run a disproportionate risk of becoming impacted by malware and other nastiness.

Mitigation
Users with non-jailbroken devices are not at risk from this threat so have little to be concerned about. Symantec advises users against jailbreaking their devices as it can seriously impact security and is against the usage policies of the product.

Users should also only install apps from trusted sources. Trusted app stores, such as Apple’s, have a rigorous vetting policy in place to prevent malicious apps from appearing in the ecosystem. Third-party app stores often don’t have the same controls and policies in place when it comes to the software they distribute and may be used to harbor malicious copies of well-known apps or other malware.

Symantec and Norton products detect the malicious app discussed in this blog as IOS.Keyraider.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.