Hackers Use iOS Malware "Key Raider" And Stole 225,000 Apple Account From Jail-broken Devices


Cyber security research firm Palo Alto Networks found iOS Malware called KeyRaider where its stole 225,000 Apple accounts. 


KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.








The attack was first discovered by i_82, a student from Yangzhou University and member of WeipTech. WeipTech (Weiphone Tech Team) is an amateur technical group consisting of users from Weiphone – one of the largest Apple fans websites in China. Previously, WeipTech cooperated with us to report on other iOS and OS X malware including AppBuyer and WireLurker.

Paltoalto cooperation with Weiptech and identified 92 Samples of a new iOS Malware called "KeyRaider"

KeyRaider was distributed by Cydia in China, but its effect to other countries as well, like France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

Malicious Code Exist
The KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the MobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system processes or in other iOS apps.

  • Stealing Apple account (user name and password) and device GUID
  • Stealing certificates and private keys used by Apple Push Notification Service
  • Preventing the infected device being unlocked by passcode or by iCloud service
  • In addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices for ransom.

How to Protect?
Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs

Next time if you want to do Jailbreak of your iOS devices then think first. KeyRaider only effects on Jailbroken iOS devices.

CONVERSATION

0 comments:

Post a Comment