Apple account credentials for more than 225,000 individual accounts have been stolen by sophisticated malware that specifically targets modified or jailbroken iOS devices. This malware, referred to as Key Raider, gives attackers the ability to lock user’s devices in order to secure a ransom, as well as download applications from the Apple App Store without making payment.
It’s believed that this is the largest Apple account theft caused by malware to date. Apple was notified of Key Raider on August 26th, and was provided the stolen account information at this time, but currently still haven’t been reached for comment.
Jailbreaking is a process that removed Apple’s protections which limit what apps can be installed, and Apple advises against jailbreaking to avoid security threats such as this one. The Key Raider malware is spread by incorporating it into jailbreaking tweaks or software packages that modify the iOS to allow for a new function.
So far, the malware has been found within tweaks that have been published on the Weiphone forum. A Weiphone user with the handle “mischa 07” is suspected to be the person responsible for seeding Key Raider to their personal repository if apps, and the same user name was hardcoded into the malware as the encryption and decryption key.
Mischa 07’s repository indicated that they have uploaded many tweaks to Weiphone, including game cheats and ones that allow users to strip advertisements from apps and tune their systems.
Key Raider works by tapping into Cydia system processes. Cydia is the application used for downloading apps to jailbroken devices. It steals data by intercepting iTunes traffic, and then uses that data to fraudulently download other apps. The Key Raider malware also collects the following:
Weiptech located the stolen information on a command and control server that communicates with phones infected with the malware. There were security vulnerabilities that allowed the group to obtain the stolen information, but the malware authors caught on and only about half of the stolen accounts were recovered before the attackers were able to fix the vulnerability.
Keep in mind, if you’ve jailbroken your mobile device, all of the sensitive data stored on that device is at risk for disclosure. Contact us at (416) 410-7268 or email us: firstname.lastname@example.org and we’ll help you secure your device against the latest threats.