Recently, we reported that a Chinese security website, WooYun, had found that upwards of 220,000 iCloud accounts and passwords had been stolen through jailbroken iPhones. At the time, there was little information going around as to the details of the attacks.
Now, though, there has been some more light potentially shed on the situation, or a situation similar to that of the first report. According to information gathered by the research team at Palo Alto networks, a new piece of malware entitled “KeyRaider” has been discovered, and it has helped hackers steal over 250,000 Apple accounts to date. This specific malware only infects jailbroken devices, but if it does set root within a handset, it can gather password information, as well as allow the malicious individuals the ability to buy things from the App Store without the owner’s permission.
This specific piece of malware works through Cydia, the popular app that makes it easier to not only manage installed apps on a jailbroken handset, but also easier to access and install apps not available in the App Store. According to the research team, KeyRaider is capable of stealing “Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”
The KeyRaider malware was discovered by a student Yangzhou University in China, actually, after he discovered odd App Store behavior and did some digging. After rooting out which users, which had been complaining of unauthorized App Store purchases, were infected and what type of apps they had been downloading, the student noticed that one tweak was uploading user data to a mysterious server. That’s when over 250,000 entries were discovered, which include Apple ID information, passwords, and other specific information to access the accounts.
The KeyRaider exploit can also remotely lock a handset, and then make it inaccessible until a ransom is paid, according to Palo Alto:
“It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.“
There are a couple of things to note here. The first is that the majority of the users affected by this malware are located in China. But, perhaps most importantly, is that this malicious software only infects jailbroken devices. So, for those of you out there that don’t have jailbroken devices, KeyRaider doesn’t appear to be something you have to worry about.
Of course, this is a good time to suggest enabling two-factor authentication through Apple directly. With two-step verification, an unknown user wouldn’t be able to access your iCloud information, even with the email and password, without that necessary extra information. If you haven’t set it up yet, here’s a how-to to enable it.