Published in News

Apple's security turned over again

by on01 September 2015

Chinese hackers make short work of it

The fruity cargo cult Apple's faith-based security is being turned over by atheistic Chinese hackers.

While Apple is desperately assuming the missionary position to establish its faith in China, it appears the hackers have taken it in its back-end.

Security outfit's Palo Alto Networks and WeipTech were analysing suspicious Apple iOS tweaks reported by users and found more than 225,000 valid Apple accounts with passwords stored on a server.

WeipTech found 92 samples of a new iOS malware family in the wild, which it has named "KeyRaider" and it might be the largest known Apple account theft caused by malware.

KeyRaider is distributed through third-party Cydia repositories in China. In total, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

Most of the victims are in China and it would appear that the malware comes form China.

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren't typically possible on iOS.

These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple's server and purchase apps or other items requested by users.

The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.
Palo Alto Networks and WeipTech have provided services to detect the KeyRaider malware and identify stolen credentials.

Last modified on 01 September 2015
Rate this item
(7 votes)

Read more about: