May 26, 2024
KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices

KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices

Posted August 31, 2015 at 10:03pm by iClarified
Palo Alto Networks has identified a new iOS malware family dubbed 'KeyRaider' which has stolen over 225,000 valid Apple accounts with passwords from jailbroken devices. With help from WeipTech, the company found 92 samples of malware responsible for may be the largest theft of Apple accounts caused by malware.

KeyRaider is distributed through third-party Cydia repositories, primarily in China. It hooks system processes through MobileSubstrate and steals Apple account usernames, passwords and device GUIDs by intercepting iTunes traffic. It also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stolen data is uploaded to a command and control server and used by two jailbreak tweaks (iappstore and iappinbuy) to facilitate free App Store purchases.


These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

Due to a vulnerability in the command and control server, researchers were able to download about half the accounts before their presence was detected and blocked. To check if your account is on the partial list of compromised accounts, click here.

A better method to check if your device is compromised involves searching for strings on your device:

1. Install openssh server through Cydia
2. Connect to the device through SSH
3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
● wushidou
● gotoip4
● bamu
● getHanzi


If any dylib file contains any one of these strings, Palo Alto Networks urges users to delete it and delete the plist file with the same filename, then reboot the device. It's also recommended that all affected users change their Apple account password after removing the malware, and enable two-factor verifications for their Apple IDs.

To make matters worse, KeyRaider has the ability to hold your device and account at ransom.

Some previous iPhone ransomware attacks are based on remotely controlling the iOS device through the iCloud service. Some of these attacks can be avoided by resetting the account password to regain control of iCloud. KeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.

More details on how the malware works can be found at the link below. As usual we recommend you only install tweaks from trusted sources or default repositories.

Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More


KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (16)
You must login or register to add a comment...
3wi09876
3wi09876 - September 18, 2015 at 9:49pm
Can someone give examples of how to use the command?
ff6ef3c
ff6ef3c - September 1, 2015 at 9:59pm
Shaun- nope that's was Apple too one text message and crashes the phone and reboots lol hahahha even that you don't know lol what a troll itroll lol
Santosc9
Santosc9 - September 1, 2015 at 2:18pm
HAHAHAHAHA
olawhale1
olawhale1 - September 1, 2015 at 1:17pm
@Alpina dont you get that this shiit steals your info so far you are jailbroken? !!!!!
stevenlacross
stevenlacross - September 2, 2015 at 3:02pm
Actually your wrong. It only steals your info if you installed those two tweaks after you jailbroke your phone. Those two tweaks are for getting apps for free. so those of us who aren't trying to steal apps, haven't gotten our Apple ID stolen, LEARN how to read before you post a stupid comment.
Me
Me - September 3, 2015 at 3:19pm
never says the malware comes from those two tweaks. only that the two tweaks are using the stolen info. it doesn't seem like they're figured out yet exactly which tweaks are loading the malware into the phone
Alpina
Alpina - September 1, 2015 at 8:08am
Im Jailbroken. But not effected. I allways get my Apps from App Store.
1
RS4EVER
RS4EVER - September 1, 2015 at 3:26am
No bashing hiding behind a computer, just stick to the issue at hand. Both Android and IOS has security flaws. You can jailbreak or root because of security flaws. No software is secure so you have to live with it. Please be civilized and only say what you will say in front of a crowd of people, not hiding behind a computer.
Rocko
Rocko - September 1, 2015 at 1:19am
Those who say that people who jailbreak do it to steal apps, clearly missed the mark. While it is possible to do, the vast majority of the jailbreak community do it make their iPhone experience better. Tweak lockscreen, add functionality, and overall make their phone more personal. Yes it sucks that because jailbroken phones have the ssh ability they are vulnerable, but you can tweak your phone to only allow ssh when you want to use it. So those of you saying all jailbreakers are pirates and getting what they deserve need to research what jail breaking is before you hate it. You sound ignorant.
Jimmy Crack Corn
Jimmy Crack Corn - September 1, 2015 at 3:46am
This is simply not true. Saurik and Musclenerd have both acknowledged that traffic data from jailbroken phones tells us that the VAST MAJORITY of jailbreakers do it to pirate apps.
Chinky Chink
Chinky Chink - August 31, 2015 at 11:53pm
HAHA I have been saying this for years you really do not know what lurking or who's looking into your jailbroken iDevices...
youguess
youguess - August 31, 2015 at 11:19pm
Good! y'all jailbroken dudes are giving Apple a bad name.
Kornmehl
Kornmehl - August 31, 2015 at 11:08pm
Yo Ho Ho! Pirates never learn.
Ld
Ld - August 31, 2015 at 10:33pm
My device is jailbroken and i do pay for all my apps.
syllab
syllab - August 31, 2015 at 10:31pm
@iClarified team: for the second method recommended in the post, it would be useful, I think to add step-by-step instructions how to grep for those strings, for the average users who might know about openssh and use of the terminal but might master the use of terminal commands like grep...
stevenlacross
stevenlacross - August 31, 2015 at 10:27pm
I feel sorry for those who have had their accounts hacked, but you got them hacked by trying to get shit for free, so you kinda deserve it.
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Monterey
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS