A new iOS Malware "KeyRaider" Steal 2,25,000 Apple Account Of Jailbroken Device

Palo Alto and Weip Tech have discovered 92 new malware in iOS Device that compromise the 225,000 Apple accounts On jailbroken iOS device.A new malware keyRaider allow the attacker to take over Victim device.It even allow to access the victim Apple store without credential.The malware malicious code exists in Mach-O dynamic libraries that hooks with the system process through mobile substrate framework and used as plugins.

KeyRaider Steal:

  • Apple account Username
  • Password
  • Intercept iTunes Traffic
  • Push Notification
  • History Of App Store
  • And even use for Ransomware.

Keyraider is capable to disable the local and remote unlocking function of iOS device. Keyraider malware steal the data from victim account and upload the data to command and control (C2) .They identified two different C2 servers.
  • top100.gotoip4[.]com
  • www.wushidou[.]cn
After resolving the domain name,resolved ip address is use four php script on the server to access the databases :
  •  aid.php
  • cert.php
  • other.php 
  • data.php
The main purpose of this attack was to make it possible for user to Official purchase the application without paying the money. WeipTech reversed engineered the jailbreak tweak and found AES encryption with the fixed key of “mischa07”. WeipTech found a table named “aid” that contains 225,941 total entries. Approximately 20 thousands entries include usernames, passwords and GUIDs in plaintext, while the rest of the entries are encrypted.The encrypted credentials can be decrypted using this static key.

Researchers also reported that jailbreak tweaks did not contain malicious code to steal password and upload them into C2 server.There was other malware which is collection the data and uploading to C2 server and researcher named the malware KeyRaider.

Keyraider only spreads through  Weiphone’s Cydia repositories for jailbroken iOS devices.One user of weiphone, named “mischa07”, uploaded the 15  KeyRaider samples to his personal repository so far in 2015 and researcher also discovered the AES encryption key "mischa07" at the time of reverse engineering the application."mischa07" may be the author of KeyRaider as his user name was  hard-coded into the tweaks as the encryption and decryption key.

Uploded interesting tweaks is available in mischa07’s repository:
  • iappstore : Provides service to download non-free apps from Apple’s official App Store without purchase.
  • iappinbuy: Provides service to get some official App Store apps’ In-App-Purchasing items totally free.

The iappinbuy received 20,199 downloads , while iappstore got 62.

Researchers also filtered the email addresses from the stolen Apple IDs and found more than half of them used email service provided by Tencent. Below are top 10 most popular stolen account:
  • @qq.com
  • @163.com
  • @icloud.com
  • @gmail.com
  • @126.com
  • @hotmail.com
  • @sina.com
  • @vip.qq.com
  • @me.com
  • @139.com

Post a Comment