Malware Targeting Jailbroken iPhones Steals Apple Accounts In Australia

Malware Targeting Jailbroken iPhones Steals Apple Accounts In Australia

A new family of malware that targets ‘jailbroken’ iOS devices has been discovered and it has already stolen over 225,000 Apple accounts across 18 countries including Australia. Dubbed KeyRaider, it has resulted in anything from abnormal app purchases using stolen Apple accounts to iPhones being held for ransom remotely.

KeyRaider enters iOS devices through jailbreaking software pacakges that users download to remove hardware restrictions on the Apple operating system, essentially hacking the devices. Palo Alto Networks, in conjuction with WeipTech, discovered the existence of KeyRaider and has has detailed just how the malware works:

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”

The malware is believed to have originated from China and uploads stolen data to a remote server. Some victims have seen abnormal app purchasing activities on their Apple accounts and others have had their phones held for ransom remotely, much like ransomeware attacks on PCs. To find out if KeyRaider is lurking around on your iOS device and then remove it, here are the steps Palo Alto Networks recommends taking the following steps:

Users can use the following method to determine by themselves whether their iOS devices was infected:

1. Install openssh server through Cydia 2. Connect to the device through SSH 3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory: – wushidou – gotoip4 – bamu – getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

If would also be wise to change your Apple account password after removing the malware and enable two-factor authentication for Apple IDs.

[Via Palo Alto Networks Research Centre]


  • Can someone explain the steps a little better, i installed openssh and opened a session with putty but it’s command and i don’t know how to move into a new directory.

    Fwiw… the cd command doesn’t work.

    • cd does work. Try again and keep in mind that you’re connected to an IOS device, where folder names are case sensitive.

      • Ok, the cd command does work but it says that i don’t have the MobileSubstrate directory.

        I can find the directory using ifile and i doesn’t look i am affected by the malware.

  • install ifile
    use ifile to navigate to the folder /Library/MobileSubstrate/DynamicLibraries/
    but not the /var/mobile/library (they are different)
    While in that folder u will see a list of files .dylib and .plist
    Use text viewer built-in ifile to open dylib files
    the use function search of Text viewer to find those strings

Show more comments

Comments are closed.

Log in to comment on this story!