A malware named KeyRaider has hacked iTunes log-in credentials, Apple’s push notification service certificates, private keys and App Store purchase information, affirmed security firm Palo Alto Networks and Chinese group WeipTech. Affecting more than 2,25,000 jailbroken iPhones, the malware stored data on a Command and Control (C2) server. It also disabled the local and remote locking ability of these iPhones.
The malware was first discovered by WeipTech, after some users reported suspicious activities from their accounts, like abnormal app purchases. The hackers also held various iPhones as hostage, and asked for ransom to unlock them.
According the blog post released by Palo Alto Networks, the malware was distributed via third-party Cydia repositories in China. It attacks only jailbroken iOS devices, and has affected devices across more than 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea. Palo Alto has stated that it is the largest known Apple account theft caused by a malware.
Talking about how the malware affects, the firm posted, "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads. The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.”
More than 20,000 users downloaded the tweaks and misused details of about 2,25,000 accounts, which were used mostly for making in-app purchases on other iOS devices.