According to a report by network security firm Palo Alto Networks, a Cydia malware named “KeyRaider” has stolen over 225,000 valid Apple accounts with passwords from jailbroken iPhones by intercepting iTunes traffic on these devices. What is now believed to be the largest known Apple account theft caused by malware, is distributed through third-party Cydia repositories in China, and has already impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.
The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.
KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information. The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.
The source notes that some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom. Meanwhile, Palo Alto Networks in association with WeipTech, are offering services to detect the KeyRaider malware and identify stolen credentials. WeipTech has provided a query service on their website for potential victims to query whether their Apple accounts was stolen.
It’s important to remember that KeyRaider only impacts jailbroken iOS devices. Users of non-jailbroken iPhones or iPads will not be affected by this attack. If you own jailbroken devices, you can use the following method to determine whether your iOS devices was infected or not:
If any dylib file contains any one of these strings, delete it and also delete the plist file with the same filename, then reboot the device. It is also strongly recommended to change your Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Haha. That sucks but that’s the risk you take.
The walled garden can’t help you if you jump the wall. With China getting big into iOS I’m sure we’ll see many similar things to come. I love my ? walls lol
People can stay what they want, but I’d much rather stay comfortably inside the garden, riding those unicorns.
The link to the site to check if your account was compromised links to an all chinese website?