Hackers Used iOS Malware To Steal The Biggest Number Of Apple Accounts Ever

Hackers Used iOS Malware To Steal The Biggest Number Of Apple Accounts Ever

Think twice before jailbreaking your iPhone. A recent rash of malware has helped hackers steal over 250,000 Apple accounts, the largest theft of its kind. The malware only affects jailbroken devices, but if you get pwned hackers can not only peek your password but also make App Store purchases without your permission.

The research team at Palo Alto networks is calling this scary new iOS malware KeyRaider. It works through the wildly popular Cydia app, which makes it easier to download and manage apps on jailbroken iPhones. Once a user has been compromised, the malware starts intercepting iTunes traffic and hijack all kinds of data. According to Palo Alto Networks, “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”

Weird App Store behaviour is actually how the malware was first discovered. After seeing multiple reports of unauthorised App Store purchases, a student from Yangzhou University in China looked at the jailbreak tweaks the affected users had installed and notice that one tweak was uploading user data to a mysterious database. After gaining access, they found over 250,000 entries that turned out to be Apple accounts, including passwords and other credentials. Palo Alto Networks did further research and found that the tweaks were designed to help users download non-free apps and make in-app purchases without paying.

It gets worse. While it’s unnerving to realise that a hacker can buy apps with unsuspecting users account, KeyRaider can also be used to remotely lock a device and hold them for ransom. Palo Alto Networks explains:

It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.

This malware has infected a lot of users, but it only works on jailbroken phones. (Most of the affected users also appear to be located in China.) So if you haven’t jailbroken your iPhone, you should be fine. Let this serve as yet another warning that jailbreaking your phone might make it fun to change around your app icons or install bootleg apps or whatever. But it’s also a great way to expose yourself to malware. Beware.

[Palo Alto Networks]

Picture: Flickr