Cydia Malware Steals 225,000 Apple IDs from Jailbroken iPhones


According to a report by network security firm Palo Alto Networks, a Cydia malware named “KeyRaider” has stolen over 225,000 valid Apple accounts with passwords from jailbroken iPhones by intercepting iTunes traffic on these devices. What is now believed to be the largest known Apple account theft caused by malware, is distributed through third-party Cydia repositories in China, and has already impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information. The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. 

The source notes that some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom. Meanwhile, Palo Alto Networks in association with WeipTech, are offering services to detect the KeyRaider malware and identify stolen credentials. WeipTech has provided a query service on their website for potential victims to query whether their Apple accounts was stolen.

It’s important to remember that KeyRaider only impacts jailbroken iOS devices. Users of non-jailbroken iPhones or iPads will not be affected by this attack. If you own jailbroken devices, you can use the following method to determine whether your iOS devices was infected or not:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and search for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, delete it and also delete the plist file with the same filename, then reboot the device. It is also strongly recommended to change your Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.