According to the Palo Alto Networks more than 225.000 Apple accounts have already been stolen by KeyRaider, a malware that targets jailbroken iOS devices. “In total, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea”, it says on the blog post. “We believe this to be the largest known Apple account theft caused by malware.”
KeyRaider is seemingly being spread by Weiphone, the largest Chinese Cydia Repository (with Cydia being an additional iOS app store for users with jailbroken iOS devices). It steals user names, passwords and device GUIDs by intercepting iTunes traffic on the device.
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying”, the blog article goes on. Sadly, stealing account data is not all the malware does. KeyRaider also has a built-in functionality that allows it to moonlight as an iOS ransomware. In addition to that stolen accounts can be used for app promotion, spam, and device unlocking, as well as fraud.
The malware was discovered by a student who is known as i_82 from WeipTech. He came across the database which held the stolen account information and promptly exploited a vulnerability on the cybercriminal’s server to learn about the attack: “By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07”. The encrypted usernames and passwords can be successfully decrypted using this static key. They then confirmed that the listed usernames were all Apple accounts and validated some of the credentials. The WeipTech researchers dumped around half of all entries in the database before a website administrator discovered them and shut down the service.”
Apple has been informed.