KeyRaider Malware Steals Certificates, Keys and Account Data From Jailbroken iPhones

Researchers have discovered a new strain of iOS malware dubbed KeyRaider that targets jailbroken devices and has the ability to steal certificates, private keys, and Apple account information. The malware already has claimed the private Apple account data of more than 225,000 victims.

The KeyRaider malware was discovered by researchers at Palo Alto Networks, who were put onto the trail of the attack by a team of amateur enthusiasts in China called WeipTech that had come across a database that was storing the stolen Apple account data. The WeipTech team had heard multiple reports that some users’ Apple accounts were being hit with unauthorized purchases, and eventually found that users of jailbroken devices who had installed a specific “tweak”, or modification, were being targeted. User data was being gathered and uploaded to a remote server.

They found a database on the server that contained more than 225,000 entries, some of which were in plaintext and others that were encrypted. The plaintext entries were Apple usernames, passwords, and GUIDs.

“By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07″. The encrypted usernames and passwords can be successfully decrypted using this static key. They then confirmed that the listed usernames were all Apple accounts and validated some of the credentials. The WeipTech researchers dumped around half of all entries in the database before a website administrator discovered them and shut down the service,” Claud Xiao of Palo Alto Networks wrote in a post explaining the attack and the KeyRaider malware. 

The WeipTech team contacted Palo Alto researchers about the findings, and the researchers quickly discovered that the tweak itself wasn’t stealing the data. Rather, the KeyRaider malware was doing the dirty work. Right now, it appears that the malware only is spreading through the Cydia repositories for jailbroken iOS devices on a Chinese Apple fan site called Weiphone.

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads,” Xiao said.

The KeyRaider malware typically is installed alongside tweaks and apps uploaded by individual users on the Weiphone site. Xiao said in his analysis that evidence in the code points to a user named “mischa07”, a term that also happens to be the hard-coded key for the encrypted data in the database the WeipTech team found. The goal of the malware seems to be to allow attackers to make unauthorized in-app purchases and other purchases using the victims’ stolen Apple account information.

“The KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the MobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system processes or in other iOS apps,” Xiao said.

KeyRaider accomplishes its feat of stealing sensitive user and device information by intercepting the communications between compromised devices and the iTunes App Store.

“When the App Store client asks the user to input their Apple account for login, the information is sent to the App Store server via an SSL encrypted session. In the replacement function of SSLWrite, KeyRaider looks for this kind of login session, and searches for specific patterns to find the Apple account’s username, password and device’s GUID in the data being transferred. Next, in the replacement function for SSLRead, these credentials are encrypted using the AES algorithm with the static key ‘mischa07’, and then sent to the KeyRaider C2 server,” Xiao said.

“In some samples, KeyRaider also hooks the apsd process — the daemon process responsible for Apple Push Notification Service on iOS systems. It hooks the SecItemCopyMatching function defined in the Security framework. This API is used to search keychain items that match given search query.”

The latter functionality is what enables KeyRaider to steal the certificate and private key from the user’s device, which is then sent, along with the GUID, to the attacker’s C2 server. The malware also gives the attackers the ability to download and install any paid app in the App Store for free, by using a victim’s stolen account information. Xiao said KeyRaider also has functionality that can allow an attacker to hold a victim’s phone for ransom.

“It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used ‘rescue’ methods are no longer effective,” Xiao said.

Palo Alto notified Apple of the attack last week and gave the company the stolen account information, as well.

Suggested articles