AceDeceiver: The First iOS Trojan to Exploit Non-Jailbroken Devices

A new family of iOS malware called “AceDeceiver” has been discovered by Palo Alto Networks, which is the first ever trojan that can exploit non-jailbroken devices as well. According to the security researchers, what sets AceDeceiver apart from any other iOS malware is that it manages to install itself without abusing any enterprise certificates by exploiting design flaws in Apple’s DRM mechanism.

AceDeceiver 1 1

The source notes that while Apple has now pulled AceDeceiver from the App Store, it can still infect iOS devices. It abuses some design flaws in Apple’s DRM protection mechanism, referred to as FairPlay, in order to install malicious apps on iPhones, iPads and iPods without requiring to be jailbroken. The technique known as “FairPlay Man-In-The-Middle (MITM)” has been used before in order to spread pirated iOS apps, but this is the first time it has been used to spread malware.

In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.

Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps. These apps successfully bypassed Apple’s code review at least seven times. In this case, AceDeceiver only displays malicious behaviors when a user is located in China, but that would be easy for the attacker to change in any time.

While Apple has removed all three malicious apps from the App Store, the source claims that the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once.

So as long as an attacker was able to successfully get a copy of authorization from Apple, his attack would not require current App Store availability to spread those malicious apps. To find out more, hit up the source page.