New ‘AceDeceiver’ iOS trojan found in China can bypass Apple’s DRM


AceDeceiver graph

A new discovery by Palo Alto Networks indicates that there is a new iOS-based trojan in the wilds of China.

According to the firm, what they’re calling “AceDeceiver” has been found in China, and it’s capable of infecting non-jailbroken iOS devices through a personal computer, all the while accomplishing this without the need of an exploit through an enterprise certification. Right now, the trojan is apparently only affecting users in China.

AceDeceiver works by taking advantage of the FairPlay digital rights management (DRM) system that Apple has in place, through what’s called a “FairPlay Main-in-the-Middle,” as Palo Alto Networks calls it. In the past, this same method has been used to distribute pirated iOS apps by using fake iTunes software, as well as altered authorization codes. That same technique is now being used to spread the trojan.

“Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.

AceDeceiver iOS app

They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”

It’s been discovered that from July 2015 to February 2016, at least three different AceDeceiver apps were uploaded to the official iOS App Store. They were apparently posing as wallpaper apps, and it gave those behind the apps fake authorization codes to use in the attack. On top of that, a Windows-based iPhone management app called “Aisi Helper” (which claimed to offer system backup services), has been used to install malicious iOS apps to iOS devices that are connected directly to the PC. It did so by offering access to a third-party app store, which offered free apps. That third-party app store could only be accessed by inputting the user’s Apple ID and password, to which it immediately became available to the attackers.

Apple officially removed the AceDeceiver apps in February, however the infection is still present on devices where it was installed because the authorization codes are still in the hands of the attackers. And while a fix may come in a patch down the road, it’s possible that older devices, even after a patch is released, could still suffer from the trojan.

The best course of action at this point is for anyone that has installed the Aisi Helper app on their Windows-based PC to remove it immediately. You can also read up on AceDeceiver on Palo Alto Network’s website, available through the source link below.

[via MacRumors; Palo Alto Networks]

Like this post? Share it!