KeyRaider Malware Results in World’s Largest iCloud Hijack

iphone651350_1280In what is seen as the most comprehensive Apple accounts hijack in history, a malware named ‘KeyRaider’ is said to affect over 225,000 jailbroken Apple devices.

A new iOS malware known as KeyRaider, targeting jailbroken devices, has already claimed private account information from over 225,000 Apple accounts, reports ThreatPost.

A team of Chinese amateur cybersecurity enthusiasts called WeipTech were alerted to a disturbance, immediately alerting security researchers at Palo Alto Networks. Weiptech stumbled upon a database storing a large horde of stolen Apple data after paying heed to multiple reports of users’ Apple accounts being charged with unauthorized purchases. Upon further research, the team found that a ‘tweak’ was installed in these targeted jailbroken devices and user data was being assimilated to a remote server.

The plaintext found in the database located on the server included Apple usernames, passwords, and GUIDs. Significantly, there were over 255,000 entries in the database, making for one mammoth breach.

While jailbreaking is popular among end-users who tweak their phones, it is a practice scorned upon by Apple. A jailbreak is usually done to facilitate downloads from the Cydia store that distributes pirated applications. The company routinely releases updates to curb any exploits through jailbreaking.

Malware. End Users. Havoc.

Some of the many victims are currently being locked out of their phones and tablets and are forced to give in to ransom demands, reports say.

In a blog post, Claud Xiao of Palo Alto Networks who discovered the hijack wrote in no unclear terms:

We believe this to be the largest known Apple account theft caused by malware.

Crucially, the KeyRaider malware only affects jailbroken Apple devices. Xiao notes that the malware threat is likely to have impacted 18 countries. They include Japan, United States, United Kingdom, Australia, France, China, Russia, Canada, Germany, Israel, Italy, Spain, Singapore and South Korea.

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Xiao claims.

The malware starts by hooking system processes through MobileSubstrate before stealing “Apple account usernames, passwords and device GUID” by looking into iTunes traffic to and from the device, explains Xiao.

The malware then claims Apple push notification certificates and private keys before sharing Apple’s App Store purchase information. The malware also disables the unlocking of Apple devices, both locally and remotely on iPhones and iPads, completing the hijack altogether.

KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.

White Hats Doing What They Do

By bundling the malware into several jailbreak tweaks, the malicious hijack is now being distributed on the Weiphone jailbreak forum. A user by the name ‘mischa07’, specializing in cheats and tweaks is behind the suspected hijack.

A Yangzhou University student only known as ‘i_82’ discovered the attack and worked with Xiao in tandem with a group of white hats to look into the exploit. They succeeded in exploiting an SQL injection vulnerability found on the attacker’s server before learning about the hack.

Remarkably, the researchers were able to gain nearly half of the stolen account information before the malicious hacker got wise to the researchers’ exploit.

Users with jailbroken devices can check this website set up by Xiao and his team to find out if they’re among those affected.

Images from Gil C / Shutterstock and Pixabay.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.