iOS Malware Compromises 225K Apple Logins

A new strain of malware, known as KeyRaider, is targeting jailbroken iOS mobile devices and has already stolen more than 225,000 Apple IDs.

According to researchers from Palo Alto Networks, in cooperation with WeipTech, a new strain of malware, known as KeyRaider, is targeting jailbroken iOS mobile devices and has already stolen more than 225,000 Apple IDs.

The act of “jailbreaking” bypasses hardware restrictions that limit which apps can be downloaded on a device but also essentially removes the existing operating system’s security features, leaving the phone vulnerable to attacks like the recently discovered KeyRaider malware. Apple advises against jailbreaking for obvious security reasons.

The malware captures Apple usernames, passwords, and device GUIDs (Globally Unique Identifiers) by intercepting iTunes traffic, push notification service certificates and private keys. KeyRaider can then share purchasing data as well as disable unlocking capabilities on both iPhones and iPads, rendering users useless in stopping the crime.

According to the researchers, the KeyRaider malware is distributed through popular jailbreak tool Cydia and is believed to have impacted users across 18 countries, including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

The malware uploads stolen data to its server, which Palo Alto Networks confirmed has its own set of security vulnerabilities that expose user information.

At the time of the discovery of KeyRaider, the server contained:

  • 225,941 stolen Apple ID user names, passwords and device GUID combinations
  • 5,841 entries of infected devices’ certificate and private keys that are used by Apple’s push notification service
  • Over 3,000 entries of device’s GUID and app purchasing receipts from the App Store server

“We believe this to be the largest known Apple account theft caused by malware,” Claud Xiao of Palo Alto Networks wrote in a blog post over the weekend.

Some of the known victims of KeyRaider malware have reported seeing fraudulent purchases on their Apple accounts, while some have actually had their devices locked and help for ransom. Due to the sophistication of KeyRaider, previously used “rescue” methods are no longer effective in restoring ransomed devices. It has the ability to disable all unlocking operations, even when the correct password or passcode is entered.

Malware attacks on mobile devices are nothing new, but it is a surprise to see Apple devices being impacted by the ever-growing threat.

Earlier this year, a report from mobile security company Lookout found mobile users encountered malware nearly twice as often in 2014 than during 2013 — up from 4 percent to 7 percent.

The report, based on aggregated data from more than 60 million users worldwide, also said that more than 4 million Android users in the U.S. encountered ransomware, with some victims forced to pay as much as $500 to unlock their devices.

Malware typically gets onto devices through drive-by downloads from infected websites, and through malicious links in spam emails, said Jeremy Linden, Lookout’s senior security product manager. For the most part, the infections target Android devices.

Linden explained that Apple’s iOS is typically less attractive to malware writers due to Apple’s testing and curation of its app store and iOS’s walled-garden architecture. While his company has seen some iOS-based mobile threats, they’re typically limited to specific geographies and only tend to appear on jailbroken devices.

“Our primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your iPhone or iPad if you can avoid it,” Xiao added. “… Use all Cydia repositories at your own risk.”

While the KeyRaider malware has been confirmed to only impact jailbroken devices, researchers warn against the potential for stolen accounts to be used in social engineering, fraud and targeted attacks going forward.

Both WeipTech and Palo Alto Networks have provided query methods for Apple users to determine if their devices have been infected with the malware.