The incident, one of most serious to affect iOS to date, was concentrated on Chinese users, researchers said
Hundreds of thousands of iPhones have been hacked and users’ accounts compromised in what researchers called one of the most severe security issues to hit Apple’s smartphone platform to date.
The malware used in the attacks, which IT security firm Palo Alto Networks has given the name “KeyRaider”, appears to have been concentrated in China, Apple’s largest market for the iPhone, but also spread via China-based third-party software repositories to users from 18 countries, including the UK, the US, Canada, France, Russia, Japan, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea, Palo Alto said in an advisory.
KeyRaider targets handsets that have been jailbroken, allowing users to install software that circumvents Apple’s usual security controls, and spreads via Cydia, a third-party software distribution platform for jailbroken iOS devices. Devices that haven’t been jailbroken aren’t vulnerable to the malware, Palo Alto said.
The practice of jailbreaking is more commonplace in China than in some other regions, allowing users to make use of the numerous third-party software distribution websites in the country. China overtook the US as Apple’s biggest market for the iPhone on strong sales over the Chinese New Year holiday in April of this year.
“We believe this to be the largest known Apple account theft caused by malware,” said Palo Alto researcher Claud Xiao.
Xiao said Palo Alto worked with WeipTech, the China-based iPhone user group that first discovered the issue, to identify 92 samples of KeyRaider in the wild.
WeipTech found more than 225,000 valid Apple accounts with passwords stored on KeyRaider’s command-and-control servers, meaning that at least that number of accounts are likely to have been compromised, Xiao said. The malware also steals certificates, private keys and purchasing receipts, he said.
KeyRaider also allows the attackers to take control of the device’s lock function, and some users reported having their handsets remotely locked and then ransomed, according to the advisory.
The malware was found in add-ons, or “tweaks”, for jailbroken iPhones distributed through Cydia repositories operated by Weiphone, one of China’s largest fan websites, Palo Alto said.
The stolen account details seem to have been used by another add-on which allowed users to download paid software and in-app purchases from Apple’s App Store for free, Palo Alto said. The purchases were apparently paid for using the details stolen by KeyRaider, according to the adivsory.
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Xiao wrote. “The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.”
WeipTech tracked down KeyRaider after noticing abnormal App Store purchasing history last month, and publicised their findings on a Weibo account last week, Palo Alto said.
iOS has to date suffered less from security problems than Google’s Android platform, due to the tight security screening Apple carries out on all software submitted to its official marketplace.
Google Play, the comparable marketplace for Android, is less carefully managed, and as a result contains far more malicious code than Apple’s App Store, according to security researchers.
As a result, nearly all new malware targets Android, researchers say, with the iOS attack code that does appear often aimed at jailbroken devices.
Last year, for instance, F-Secure said 99 percent of the new malware it discovered over a three-month period targeted Android, with only one threat during that period targeting jailbroken iOS devices.
Are you a security pro? Try our quiz!