World’s biggest iOS malware heist — 225k Apple accounts found on a server

31 Aug 2015

Around 20,000 users are abusing the 225,000 stolen credentials

In what could be the largest known Apple account theft caused by iOS malware, some 225,000 accounts from 18 countries have been found on a server by security researchers.

As many as 20,000 people are using the 225,000 accounts to get apps for free.

Proving that Apple’s iOS walled garden is still more resistant to malware than Android, the accounts related only to jailbroken iPhones, according to Palo Alto Networks.

In cooperation with WeipTech, Palo Alto Networks identified 92 samples of a new iOPS malware family in the wild and have named the class of malware “KeyRaider.”

“We believe this to be the largest known Apple account theft caused by malware,” said Claud Xiao.

KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China.

In total, it appears this threat may have impacted users from 18 countries, including: China, France, Russia, Japan, the UK, the US, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

Xiao said that KeyRaider has successfully stolen more than 225,000 valid Apple accounts and thousands of certificates, private keys and purchasing receipts and uploaded the data to its command and control server, which contains vulnerabilities that expose user information.

20,000 users are abusing 225,000 stolen Apple credentials

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.

“KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads,” Xiao said.

Xiao said that the purpose of the attack was to make it possible for users of iOS jailbreak tweaks to download apps from the official App Store and make purchases without paying.

Jailbreak tweaks are software packages that allow users to perform actions typically impossible on iOS.

The tweaks have been downloaded more than 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

“Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom,” Xiao said.

App Store image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years