Apple iOS Malware Is Your Worst Enemy

Apple iOS Malware Is Your Worst Enemy

Recently discovered Apple iOS malware has allowed hackers to steal login credentials of more than 250,000 Apple accounts, making it the largest compromise of its kind.

According to Palo Alto Networks KeyRaider malware only infects devices that are already jailbroken however it allows hackers to steal not only passwords but also App Store purchases as well.

KeyRaider Apple malware is infecting using a third party Cydia repository, which is an alternative to Apple’s very own App Store. Malicious code affects users in more than 18 countries including USA, UK, France, Japan and Russian.

After user gets infected with a malware it starts stealing iTunes traffic and steals practically every data transmitted. According to latest reports KeyRaider does not only hijack data but in some cases it has also disabled devices until a ransom is payed by victims.

Apple iOS malware has been first discovered due to a unusual behavior of App Store. A student from Chinese Yangzhou University and a member of WeipTech (amateur technical group consisting of users from Weiphone – one of the largest Apple fans websites in China) has noticed unauthorized App Store purchases, when he investigated further in to the tweaks that jailbreak has installed he noticed that one of them was uploading user data to a clandestine database.

Cyber attackers can use victims accounts and passwords to launch probably any kind of attacks. They will be able to control devices from anywhere using Find My Phone through iCloud, hijack information in iMessage logs, location, e-mails, contacts and photos.

Additionally, there are many other ways to profit from these stolen accounts, like: Ransom, Device Unlocking, App Promotion, Cash Back and Spam.

Palo Alto Networks has released DNS signatures to cover KeyRaider’s C2 traffic to prevent the malware from relaying credentials in protected networks.

Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, Palo Alto Networks urges users to delete it and delete the plist file with the same filename, then reboot the device.

KeyRaider serves as a good reminder that every user should proceed with caution when they jailbreak there devices.

Jailbreaking might give you new possibilities to change app icons, install new apps and so on, but user should remember that security and privacy is more important than a different color of your ‘Contacts’ icon.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.