A technical group, WeipTech, consisting of users from Weiphone - one of the largest fan websites in China - found the Apple accounts on a server as they were analysing suspicious iOS tweaks reported by users.
Now, in cooperation with WeipTech, Palo Alto has said it has identified 92 samples of a new malware family in the wild, naming the culprit malware responsible for the Apple account theft, “KeyRaider”.
“We believe this to be the largest known Apple account theft caused by malware,” says Claud Xiao in his blog posted on the Palo Alto website.
Xia says Key Raider targets jailbroken iOS devices, is distributed through third-party Cydia repositories in China, and has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts – “uploading stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.”
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.
“These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.”
According to Xia, some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.
Explaining how it works, Xia says the malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.
Palo Alto and WeipTech have now provided services which they say will detect the KeyRaider malware and identify stolen credentials.