Hackers Stole the Biggest Number of Apple Accounts Ever with iOS Malware

Image for article titled Hackers Stole the Biggest Number of Apple Accounts Ever with iOS Malware

Think twice before jailbreaking your iPhone. A recent rash of malware has helped hackers steal over 250,000 Apple accounts, the largest theft of its kind. The malware only affects jailbroken devices, but if you get pwned, hackers can not only peek your password but also make App Store purchases without your permission.


The research team at Palo Alto networks is calling this scary new iOS malware KeyRaider. It works through the wildly popular Cydia app which makes it easier to download and manage apps on jailbroken iPhones. Once a user’s been compromised, the malware starts intercepting iTunes traffic and hijack all kinds of data. According to Palo Alto Networks, “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”

Weird App Store behavior is actually how the malware was first discovered. After seeing multiple reports of unauthorized App Store purchases, a student from Yangzhou University in China looked at the jailbreak tweaks the affected users had installed and notice that one tweak was uploading user data to a mysterious database. After gaining access, they found over 250,000 entries that turned out to be Apple accounts, including passwords and other credentials. Palo Alto Networks did further research and found that the tweaks were designed to help users download non-free apps and make in-app purchases without paying.

It gets worse. While it’s unnerving to realize that a hacker can buy apps with unsuspecting users account, KeyRaider can also be used to remotely lock a device and hold them for ransom. Palo Alto Networks explains:

It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.

This malware has infected a lot of users, but again, it only works on jailbroken phones. (Most of the affected users also appear to be located in China.) So if you haven’t jailbroken your iPhone, you should be fine. Let this serve as yet another warning that jailbreaking your phone might make it fun to change around your app icons or install bootleg apps or whatever. But it’s also a great way to expose yourself to malware. Beware.

[Palo Alto Networks]

Image via Flickr

Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22A8




Dumbest hack alert ever! All this article did was to scare me into knowing that my jailbroken iPhone is at risk - everyone who jailbreaks knows this. It doesn’t tell me anything more.

1. “one tweak was uploading user data to a mysterious database” - which tweak? I can’t check if I’m at risk... or whether I have the tweak

2. The source article is to a non-existent or unreachable page

I’m sorry Adam, but your blogs have been really good but there’s some key info missing. I’ll get back if I get some more info from Google about KeyRaider.