'KeyRaider' malware harvests 225,000 Apple IDs from jailbroken iOS devices
A new form of iOS malware making its way around the jailbreak scene has resulted in the theft of credentials linked to at least 225,000 Apple IDs, resulting in fraudulent app purchases and in some cases ransom demands.
A ransom message displayed on an iPhone infected with KeyRaider. Image via Palo Alto Networks.
KeyRaider --?discovered by researchers at Palo Alto Networks and WeipTech -- is primarily distributed via Cydia repositories in China, but has been found on devices owned by users throughout the world, including the UK and the U.S. Those firms began investigating earlier this summer, after some users of jailbroken iOS devices found unauthorized purchases or other abnormalities in their Apple account.
The malware collects a number of other items in addition to Apple ID usernames and passwords. It also targets the device's unique identifier, or GUID, alongside security certificates and private keys for Apple push notification service as well as App Store purchase data.
KeyRaider also disables the ability to unlock iOS devices on which it's installed, a feature occasionally used to remotely hold devices for ransom.
The researchers say KeyRaider is linked to two other jailbreak tweaks that let users download App Store apps for free. Using the stolen credentials, those tweaks impersonate legitimate users in App Store purchase requests.
KeyRaider's appearance underscores that jailbreaking, despite being occasionally useful, represents a significant security risk for users. While iOS is impressively secure in its default configuration, jailbreaking necessarily removes some protections and opens devices up to unwanted data exfiltration.
A ransom message displayed on an iPhone infected with KeyRaider. Image via Palo Alto Networks.
KeyRaider --?discovered by researchers at Palo Alto Networks and WeipTech -- is primarily distributed via Cydia repositories in China, but has been found on devices owned by users throughout the world, including the UK and the U.S. Those firms began investigating earlier this summer, after some users of jailbroken iOS devices found unauthorized purchases or other abnormalities in their Apple account.
The malware collects a number of other items in addition to Apple ID usernames and passwords. It also targets the device's unique identifier, or GUID, alongside security certificates and private keys for Apple push notification service as well as App Store purchase data.
KeyRaider also disables the ability to unlock iOS devices on which it's installed, a feature occasionally used to remotely hold devices for ransom.
The researchers say KeyRaider is linked to two other jailbreak tweaks that let users download App Store apps for free. Using the stolen credentials, those tweaks impersonate legitimate users in App Store purchase requests.
KeyRaider's appearance underscores that jailbreaking, despite being occasionally useful, represents a significant security risk for users. While iOS is impressively secure in its default configuration, jailbreaking necessarily removes some protections and opens devices up to unwanted data exfiltration.
Comments
KeyRaider's appearance underscores that jailbreaking, despite being occasionally useful, represents a significant security risk for users. While iOS is impressively secure in its default configuration, jailbreaking necessarily removes some protections and opens devices up to unwanted data exfiltration.
At this point I have no sympathy for the jailbreaking community. Even in the early days of jailbreaking when you could make an argument for doing it I never saw the value of hacking something that contains the amount of personal information the average smartphone contains...
Imagine that. A jailbroken device has a flaw that can be exploited.
At this point I have no sympathy for the jailbreaking community. Even in the early days of jailbreaking when you could make an argument for doing it I never saw the value of hacking something that contains the amount of personal information the average smartphone contains...
The weakest link in security is stupid users. This is akin to walking up to a stranger on the street -- borrowing a dirty needle and injecting yourself with it....
Agreed. It's users who install shady or pirate repos that seem to have these problems.
The weakest link in security is stupid users. This is akin to walking up to a stranger on the street -- borrowing a dirty needle and injecting yourself with it....
Fair enough...
I wonder if those who jailbroke their phones and experience finacial losses, if they will get no recourse due to it is their own fault.
The weakest link in security is stupid users. This is akin to walking up to a stranger on the street -- borrowing a dirty needle and injecting yourself with it....
And they'll always be somebody saying it's the fault of the needle manufacturer.
I think AppleInsider is remiss in calling this an iOS exploit, like, I'm sure, the other less informed media outlets will do as well.
iOS does not, nor will allow this exploit. It is the "no-longer-iOS" devices that allow this and AI shouldn't be adding to the FUD by sloppily reporting this as iOS.
At this point I have no sympathy for the jailbreaking community.
Well, risk-takers will do what they must to feed what drives them. I'm sure a great deal of personal satisfaction is gleaned from the notion of succeeding in the face of bucking the system.
I am no risk-taker in that sense; and I don't feel the need to sympathize when something bad like this happens. But I do understand where they're coming from. And I hope they understand themselves well enough to take personal responsibility for said risks.
I'm waiting for the media to sensationalize this and make it sound like it's a non-jailbroken problem.
I can pretty much guarantee the trolls, Fandroids, and iHaters will try passing off this non-story as an Apple problem.
The iOS "Walled Garden" doesn't seem so bad now, does it?
I loved to be able to jailbreak my iPhone early on (for perfectly legit purposes, such as being able to download video podcasts > 100MB over LTE, stream TiVo or Amazon Video over LTE, use tethering, and a bunch of other cool UI features), back when the jailbreaks came from well known US hackers. Since iOS 7, I have zero trust in these Chinese jailbreaks, and there is no way I would install them on my phone.
And yes, you're right. The "walled garden" seems like a really good idea after all, even though it can be frustrating at times. Just ask Google... the StageFright nightmare hasn't even started.
I loved to be able to jailbreak my iPhone early on (for perfectly legit purpose ... The "walled garden" seems like a really good idea after all, even though it can be frustrating at times.
What can you not do on your non-jailbroken device? How much of that is pegged on the carrier, not the device or operating system? For example, my carrier has allowed tethering since day one (back in 2008), whereas many carriers still don't allow it without an extra charge or a long-term contract. Jailbreaking would get around that for those carriers, I agree.
I think AppleInsider is remiss in calling this an iOS exploit, like, I'm sure, the other less informed media outlets will do as well.
iOS does not, nor will allow this exploit. It is the "no-longer-iOS" devices that allow this and AI shouldn't be adding to the FUD by sloppily reporting this as iOS.
I agree with this 100%. AppleInsider is being irresponsible by using that wording... "a new form of iOS malware"... as if there are many other forms?
I'm waiting for the media to sensationalize this and make it sound like it's a non-jailbroken problem.
I can pretty much guarantee the trolls, Fandroids, and iHaters will try passing off this non-story as an Apple problem.
This.
What can you not do on your non-jailbroken device? How much of that is pegged on the carrier, not the device or operating system? For example, my carrier has allowed tethering since day one (back in 2008), whereas many carriers still don't allow it without an extra charge or a long-term contract. Jailbreaking would get around that for those carriers, I agree.
Luckily here tethering is allowed on all devices whether on contract or pay-as-you go.