'AceDeceiver' malware secretly installs malicious apps onto iOS devices

Posted:
in iPhone
A new form of iOS malware, nicknamed "AceDeceiver," can infect people without relying on an enterprise certificate or attacking jailbroken devices, security firm Palo Alto Networks revealed on Wednesday.




Instead the malware exploits flaws in Apple's FairPlay digital rights management, Palo Alto noted. Those vulnerabilities have used since 2013 to pirate iOS apps, but have only recently been turned to spread malware.

When fetching an app from Apple, a device normally pings the company's servers for a code proving it was purchased by a user. By intercepting such codes and crafting Windows software simulating iTunes' behavior, a hacker has been able to trick iOS devices into believing apps were bought by victims. The Windows software, dubbed "Aisi Helper," is disguised as a helpful tool but will install malicious iOS apps without alerting targets.

Three AceDeceiver apps disguised as wallpaper tools made their way onto the App Store between July 2015 and February 2016, Palo Alto said. The titles passed Apple code review "at least" seven times, the firm added, and were only removed once they were reported by Palo Alto late last month.

The apps are still a threat so long as they're installed, but are currently set to be malicious only in mainland China. Running them connects to a third-party app store where people are encouraged to enter their Apple IDs, which are then stolen and uploaded to a server.

Apple normally prides itself on iOS' security, but has still had to periodically remove App Store titles because of dangerous code. In November, for instance, the company pulled an Instagram client called InstaAgent after it was discovered collecting usernames and passwords.
«1

Comments

  • Reply 1 of 23
    So this affects iOS if you're using Windows in China?

    OK, noted.
    jeff_cookmorganhighley
  • Reply 2 of 23
    One more reason NOT to use Windows?
  • Reply 3 of 23
    So this affects iOS if you're using Windows in China?

    OK, noted.
    NDflyer said:
    One more reason NOT to use Windows?
    Congrats on reading the article. The apps in question were on the App Store. 
    revenant
  • Reply 4 of 23
    bloggerblogbloggerblog Posts: 1,813member
    and the FBI wants Apple to weaken its security even further
    edited March 2016 baconstangbrakkenlostkiwi
  • Reply 5 of 23
    So this affects iOS if you're using Windows in China?

    OK, noted.
    Congrats on reading the article. The apps in question were on the App Store. 
    Yes.  I read that.  It also implied it only was active in China on Window PCs.
    Congrats all around.
    morganhighleyration aljony0
  • Reply 6 of 23
    lkrupplkrupp Posts: 6,712member
    So this affects iOS if you're using Windows in China?

    OK, noted.
    Congrats on reading the article. The apps in question were on the App Store. 
    The Chinese App Store. There’s a BIG difference. What, you think the App Store is the same the world around?
    baconstangration al
  • Reply 7 of 23
    mtbnutmtbnut Posts: 190member
    This is like bashing ADP Alarm Company because their system didn't do its job when the homeowner left the front door open, wrote the PIN code on a Post-It note next to the alarm control panel, and connected their landline to a phone line run by a guy in a van down by the river.
    anantksundaramtdknoxronn
  • Reply 8 of 23
    foggyhillfoggyhill Posts: 4,767member
    While there is a special set of circumstances here, allowing Man in the middle intercept of Phone to Itunes comms (is this a modified version of Itunes?) codes is a bug and should be fixed.  Maybe make these codes expire so at least this can't be used for other exploits.
  • Reply 9 of 23
    lkrupplkrupp Posts: 6,712member
    mtbnut said:
    This is like bashing ADP Alarm Company because their system didn't do its job when the homeowner left the front door open, wrote the PIN code on a Post-It note next to the alarm control panel, and connected their landline to a phone line run by a guy in a van down by the river.

    It’s all about stirring up FUD about Apple and selling security software. The security crowd is incensed that the iOS and OS X platforms actually are pretty secure when compared to the competition anyway. The haters want the populace to believe there is no difference between Apple and the others. But it’s mostly about selling security software. Scare people into buying software that turns their Macs or iPhones into sluggish malfunctioning bricks. But hey, they’re “safe” now.
    jony0tdknoxlostkiwi
  • Reply 10 of 23
    volcanvolcan Posts: 1,766member
    thewhitefalcon said:

    Congrats on reading the article. The apps in question were on the App Store. 
    The original Palo Alto article linked in the AI article has a much better explanation of how it works and why. I'll try to summarize.

    1) Any Windows PC user follows a link to the website of the malware author.
    2) They are encouraged to download a Windows helper app (malware) which claims to assist in managing iOS devices
    3) Once installed on computer, the user is instructed to download an iOS app through a fake iTunes feature within the Windows app
    4) The user is prompted for their Apple ID log in which is then stolen. This is the primary purpose of the malware
    5) Windows then automatically installs the iOS malware app to any iOS device connected to the computer, without user action.
    6) The iOS malware does have an icon which the user might notice as something they did not install, but...
    7) Once the malware is installed on the iOS device users can download pirated games from a third party App Store.
    8) Currently it only works in China but that could be changed to any region very easily. It works best if it is restricted to only one region at a time
    baconstangpscooter63jony0anantksundaramtdknoxnoivadbadmonk
  • Reply 11 of 23
    volcanvolcan Posts: 1,766member
    lkrupp said:

    But it’s mostly about selling security software. Scare people into buying software that turns their Macs or iPhones into sluggish malfunctioning bricks. But hey, they’re “safe” now.
    Not the case with Palo Alto. They don't sell PC/Mac/iPhone virus protection. They provide businesses with network intrusion protection and prevention firewall services for commercial enterprise applications.
    edited March 2016
  • Reply 12 of 23
    volcan said:
    lkrupp said:

    But it’s mostly about selling security software. Scare people into buying software that turns their Macs or iPhones into sluggish malfunctioning bricks. But hey, they’re “safe” now.
    Not the case with Palo Alto. They don't sell PC/Mac/iPhone virus protection. They provide businesses with network intrusion protection and prevention for commercial enterprise applications.
    Ikrupp subscribes to the "Apple can do no wrong" philosophy. Anything negative about Apple must be a lie. 
    edited March 2016 revenantdasanman69Blaster
  • Reply 13 of 23
    See that picture of "victim PC with third party client?"

    thats Tidal. 


    Stay away (from jay. And Kanye). 
    baconstang
  • Reply 14 of 23
    In reality this is simply a "better" phishing scheme. 

    Thats about it. 
    baconstangsockrolidvolcantdknoxronn
  • Reply 15 of 23
    sockrolidsockrolid Posts: 2,788member
    That's one less attack vector for the FBI to try.

    Good.
  • Reply 16 of 23
    focherfocher Posts: 638member
    This is a man-in-the-middle attack. Apple should fix it by ensuring both sides of the communication are always verified. 

    It may be only in China right now but conceptually this could be done merely by having the malicious middle tier on your network with some traffic redirection. 
  • Reply 17 of 23
    jony0jony0 Posts: 269member
    volcan said:
    thewhitefalcon said:

    Congrats on reading the article. The apps in question were on the App Store. 
    The original Palo Alto article linked in the AI article has a much better explanation of how it works and why. I'll try to summarize.

    1) Any Windows PC user follows a link to the website of the malware author.
    2) They are encouraged to download a Windows helper app (malware) which claims to assist in managing iOS devices
    3) Once installed on computer, the user is instructed to download an iOS app through a fake iTunes feature within the Windows app
    4) The user is prompted for their Apple ID log in which is then stolen. This is the primary purpose of the malware
    5) Windows then automatically installs the iOS malware app to any iOS device connected to the computer, without user action.
    6) The iOS malware does have an icon which the user might notice as something they did not install, but...
    7) Once the malware is installed on the iOS device users can download pirated games from a third party App Store.
    8) Currently it only works in China but that could be changed to any region very easily. It works best if it is restricted to only one region at a time
    Thanks for the great summary volcan. So, what do we have here folks ?
    Any Windows PC user [is] encouraged to download a Windows helper app (malware) which [will] download an iOS app through a fake iTunes feature within the Windows app. The user is prompted for their Apple ID log in which is then stolen. This is the primary purpose of the malware.
    As already pointed out by baconstang, it is indeed a Windows malware specifically designed to steal Apple ID logins in China. Yes yes, China for now, got it.

    As most attacks towards OS X or iOS, they still have to use another platforms's weaknesses to get through, whether it's Flash, Java, Windows etc.
    And ultimately it installs an iOS malware app connected to the computer so that the pirate user can go ahead and steal games. Is there no honour amongst thieves ?
    Stick with Apple devices to connect to the Apple App Store and you'll always be protected … until the Feds break it. Got it. Are the Feds working for the Chinese ?

    That being said, Apple still has to fix this man in the middle weakness over there, because no one will remember that it's Windows malware, except the pirates.
    baconstangtdknox
  • Reply 18 of 23
    dasanman69dasanman69 Posts: 12,974member
    volcan said:
    Not the case with Palo Alto. They don't sell PC/Mac/iPhone virus protection. They provide businesses with network intrusion protection and prevention for commercial enterprise applications.
    Ikrupp subscribes to the "Apple can do no wrong" philosophy. Anything negative about Apple must be a lie. 
    And don't forget 'the Chinese don't matter'. 
    gatorguy
  • Reply 19 of 23
    mcdavemcdave Posts: 1,094member
    So the user can download pirated software.

    So this is elective malware not really malware.

    A bit like "I accidentally fell into a prostitute".

    And the haters clamour as always.
    baconstangtdknoxronncyberzombie
  • Reply 20 of 23
    mcdave said:
    So the user can download pirated software.

    So this is elective malware not really malware.

    A bit like "I accidentally fell into a prostitute".

    And the haters clamour as always.
    "Anti-social engineering"?
Sign In or Register to comment.