Largest Apple Account Theft Exposes Over 250,000 iOS Devices


Over 250,000 Apple devices have been hacked so far by a recently uncovered malware family designed to target devices running on iOS. Dubbed as "KeyRaider," the malware has been used to compromise Apple accounts associated with the hacked iOS devices.

Discovered last week, KeyRaider, iOS security threat, has now been analyzed by a security research firm Palo Alto Networks in collaboration with WeipTech, a Chinese group responsible for first discovering the malware. This malware is reportedly responsible for one of the largest Apple account theft as analysts have identified a total of 92 samples of this malware family which targets jailbroken iOS devices. As with various other malware attacks in the past targeting the jailbroken iPhones and iPads, this family too has been distributed using Chinese third-party Cydia repositories.

The exploit worms its way to your jailbroken iPhone or iPad through Cydia, after which it not only gets your password but also intercepts the data.

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The user is then locked out of their devices, making it the perfect way to extort money, for a user to continue operating their devices. If the user doesn't agree to pay the ransom money, the malware also has the ability to download and buy apps without their permission which means the target can lose a large sum of money from their credit card.

Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.

Researchers further explain that the data collected by this malware family is used by two iOS jailbreak tweaks that are designed to allow users to download paid apps from the Apple Store, for free. Claud Xiao of Palo Alto explained that “these two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log into Apple’s server and purchase apps or other items requested by users.”

“The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials,” explains Xiao. The security team was able to determine the impact of KeyRaider iOS security exploit by using an SQL injection vulnerability in the command and control (C2) server that was used by the malware to upload stolen data. These vulnerabilities in the server itself further expose user information.

KeyRaider has infected iOS devices in a total of 17 countries, including China, U.S., U.K., Canada, Israel, Italy, Singapore, Russia, France, Japan, Australia, South Korea, and Spain - making it one of the largest malware-powered Apple account theft operation "seen to date."

Stay safe folks and stick to trusted repositories as is always advised.