A new family of malware that targets 'jailbroken' iOS devices has been discovered and it has already stolen over 225,000 Apple accounts across 18 countries including Australia. Dubbed KeyRaider, it has resulted in anything from abnormal app purchases using stolen Apple accounts to iPhones being held for ransom remotely.
KeyRaider enters iOS devices through jailbreaking software pacakges that users download to remove hardware restrictions on the Apple operating system, essentially hacking the devices. Palo Alto Networks, in conjuction with WeipTech, discovered the existence of KeyRaider and has has detailed just how the malware works:
"The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."
The malware is believed to have originated from China and uploads stolen data to a remote server. Some victims have seen abnormal app purchasing activities on their Apple accounts and others have had their phones held for ransom remotely, much like ransomeware attacks on PCs. To find out if KeyRaider is lurking around on your iOS device and then remove it, here are the steps Palo Alto Networks recommends taking the following steps:
Users can use the following method to determine by themselves whether their iOS devices was infected:
1. Install openssh server through Cydia 2. Connect to the device through SSH 3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory: - wushidou - gotoip4 - bamu - getHanzi
If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.
If would also be wise to change your Apple account password after removing the malware and enable two-factor authentication for Apple IDs.