Over 225000 Apple Accounts Have Been Compromised via iOS Malware in Cydia

With that, Apple has always warned of security vulnerability, and those concerns are playing out in reality as users in up to 17 countries find their Apple account details compromised by the KeyRaider bug.

KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts.

Apple’s walled iOS garden is more resistant to malware than Android, though there are still malware apps that can take advantage of Apple’s mobile operating system.

A team of Chinese amateur cybersecurity enthusiasts called WeipTech were alerted to a disturbance, immediately alerting security researchers at Palo Alto Networks.

Palo Alto Networks believes this is the largest theft of Apple user credentials done with malware.

On Sunday, August 30, Palo Alto Networks’ Claud Xiao divulged through a blog post that KeyRaider was distributed via China-based “third-party Cydia repositories”.

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device”, Mr Xiao said.

“KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads”, Xiao said.

While jailbreaking can allow users to install various apps and tweaks, the practice can expose iOS devices to various security flaws.

KeyRaider has been spread by being incorporated into jailbreak tweaks, or software packages that allow for some new function to be run on iOS.

The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

“These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users”.

Ransom message on locked iPhone.

WeipTech only recovered about half of the stolen accounts “before the attacker fixed the vulnerability”, Xiao wrote.

The unusual behavior of these malware apps was discovered in July, and researchers have been able to hack into the malware creators’ server, collect data and reverse-engineer the jailbreak tweak in order to describe how it works and warn potential victims.

It is suspected that a user, who goes by the username “mischa07” on Weiphone, may be responsible for seeding KeyRaider to his personal repository of apps. The team set up a service to aid users to check if their account had been compromised.