A new discovered malware family that preys on jailbroken iPhones has collected login credentials for over 225,000 Apple accounts, creating it one among the biggest Apple account compromises to be caused by malware.
KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia, which markets itself as another to Apple’s official App Store. Malicious code sneakily enclosed with Cydia apps is making issues for people in China and a minimum of seventeen different countries, together with France, Russia, Japan, and the UK. Not only has it pilfered account information for 225,941 Apple accounts, it’s additionally disabled some infected phones till users pay a ransom, and it’s created unauthorized charges against some victims accounts.
Researchers with Palo Alto Networks worked with members of the Chinese iPhone community Weiphone when members found the unauthorized charges. during a web log post revealed Sunday, the Palo Alto Networks researchers wrote:
KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.
The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.
These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.
Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.
As if the stealing of the Apple account credentials wasn’t dangerous enough, the information was uploaded to an internet site that contained a SQL-injection vulnerability. The flaw created it trivial for outsiders to access a number of the records. Most of the e-mail addresses of affected uses recommend they’re Chinese or probably Chinese people living in other countries.
The KeyRaider discovery provides a cautionary tale regarding the risks of jailbreaking iPhones. Most security consultants discourage the apply unless it’s done by extremely experienced people who understand precisely what code they are using to avoid Apple engineers’ safeguards and, once that is done, what different apps they are putting in.