June 28, 2022
KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices

KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices

Posted August 31, 2015 at 10:03pm by iClarified · 21844 views
Palo Alto Networks has identified a new iOS malware family dubbed 'KeyRaider' which has stolen over 225,000 valid Apple accounts with passwords from jailbroken devices. With help from WeipTech, the company found 92 samples of malware responsible for may be the largest theft of Apple accounts caused by malware.

KeyRaider is distributed through third-party Cydia repositories, primarily in China. It hooks system processes through MobileSubstrate and steals Apple account usernames, passwords and device GUIDs by intercepting iTunes traffic. It also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stolen data is uploaded to a command and control server and used by two jailbreak tweaks (iappstore and iappinbuy) to facilitate free App Store purchases.

These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

Due to a vulnerability in the command and control server, researchers were able to download about half the accounts before their presence was detected and blocked. To check if your account is on the partial list of compromised accounts, click here.

A better method to check if your device is compromised involves searching for strings on your device:

1. Install openssh server through Cydia
2. Connect to the device through SSH
3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
● wushidou
● gotoip4
● bamu
● getHanzi

If any dylib file contains any one of these strings, Palo Alto Networks urges users to delete it and delete the plist file with the same filename, then reboot the device. It's also recommended that all affected users change their Apple account password after removing the malware, and enable two-factor verifications for their Apple IDs.

To make matters worse, KeyRaider has the ability to hold your device and account at ransom.

Some previous iPhone ransomware attacks are based on remotely controlling the iOS device through the iCloud service. Some of these attacks can be avoided by resetting the account password to regain control of iCloud. KeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.

More details on how the malware works can be found at the link below. As usual we recommend you only install tweaks from trusted sources or default repositories.

Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.

Read More

KeyRaider Malware Has Stolen Over 225,000 Apple Accounts From Jailbroken iOS Devices
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
iClarified Icon
Would you like to be notified when we post a new Apple news article or tutorial?
You must login or register to add a comment...
3wi09876 - September 18, 2015 at 9:49pm
Can someone give examples of how to use the command?
NA - September 2, 2015 at 6:35pm
This is why you don't jailbreak folks lol dumbasses
Santosc9 - September 1, 2015 at 2:18pm
olawhale1 - September 1, 2015 at 1:17pm
@Alpina dont you get that this shiit steals your info so far you are jailbroken? !!!!!
your stupid
your stupid - September 2, 2015 at 3:02pm
Actually your wrong. It only steals your info if you installed those two tweaks after you jailbroke your phone. Those two tweaks are for getting apps for free. so those of us who aren't trying to steal apps, haven't gotten our Apple ID stolen, LEARN how to read before you post a stupid comment.
17 More Comments
Recent. Read the latest Apple News.
Tutorials. Help is here.
iPhone 13 Pro Repair Manual PDF [Download]
How to Add Widgets on iPhone [Video]
iPhone 13 Repair Manual PDF [Download]
iPhone 13 Pro Max Repair Manual PDF [Download]
Where to Download macOS Monterey
Deals. Save on Apple devices and accessories.