bexxandbrain - Fotolia

New iOS malware targets jailbroken devices, iCloud accounts

Security researchers discovered a new type of iOS malware that targets jailbroken devices and can allow attackers to take over the devices via iCloud.

Security researchers have discovered a new type of iOS malware that targets jailbroken devices and can allow attackers to take control of those devices through Apple's iCloud service.

According to a report from Palo Alto Networks Inc. released this week, WeipTech, a group of Chinese cybersecurity enthusiasts, recently discovered more than 225,000 Apple accounts had been compromised after several users had notified the group of suspicious iOS activity. WeipTech alerted Palo Alto Networks and the two organizations soon identified a new iOS malware family, dubbed "KeyRaider,"that specifically targets jailbroken devices. Jailbreaking is a type of privilege escalation and permits root access to the iOS file system and manager, allowing users to download applications and use wireless carrier services not approved by Apple.

The iOS malware, according to the report, steals Apple account usernames, passwords and device GUIDs (global unique identifiers), as well as Apple Push Notification certificates and private keys, by intercepting iTunes traffic on the device. "We believe this to be the largest known Apple account theft caused by malware," wrote Palo Alto Networks security researcher Claud Xiao in the report.

In addition, Xiao states that KeyRaider can allow attackers to remotely unlock jailbroken devices through iCloud and gain complete control or hold the devices for ransom. He also said that KeyRaider, which uploads stolen credentials and data to a command and control server, differs from other iOS malware or ransomware attacks.

"Some of these attacks can be avoided by resetting the account password to regain control of iCloud," Xiao wrote. "KeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered."

We believe this to be the largest known Apple account theft caused by malware.
Claud XiaoPalo Alto Networks

Xiao's report also stated that attackers can use KeyRaider to send ransom demands through Apple Push Notification messages directly to users via the stolen certificates and private keys, completely bypassing Apple's push serve.

"Because of this functionality," Xiao wrote, "some of previously used 'rescue' methods are no longer effective."

While KeyRaider's features may be more advanced than recent mobile malware or ransomware, Xiao wrote the purpose of the attack was nothing more than to allow attackers to download applications from Apple's App Store and make in-app purchases through them without actually paying.

The Palo Alto Networks report states that the company, in cooperation with WeipTech, identified 92 samples of the KeyRaider malware and discovered affected users in 18 different countries, including China, Russia, and the U.S. KeyRaider, according to Xiao, spreads through third-party repositories for Cydia, which is iOS software that allows users to install applications on jailbroken devices. 

Both Palo Alto Networks and WeipTech offered services and guidance to help users determine if their jailbroken iOS devices had been infected by KeyRaider and if their accounts' credentials had been stolen. Palo Alto Networks recommended users enable two-factor authentication on their iOS devices to prevent attackers from taking over their Apple ID and iCloud accounts.

Next Steps

Rapid7 explains how to mitigate the KeyRaider iOS malware and protect jailbroken devices

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues