Trojan Exploits Apple DRM Flaw, Plants Malware On Non-Jailbroken iOS Devices

New malware called AceDeceiver targets iOS devices in China and enables man-in-the-middle attacks that enable hackers to silently drop apps on infected devices.

Apple iOS devices are in the crosshairs of another malware attack that has already infected an estimated six million non-jailbroken iOS devices in China, according to researchers.

Palo Alto Networks found the new malware called AceDeceiver that infects iOS devices via Windows PCs and which leverages design flaws in Apple’s DRM software. So far, AceDeceiver has only impacted iOS users in China, and it is unique because it is the first known successful malware infection of non-jailbroken devices using Apple’s FairPlay digital rights management system, researchers said.

“First it was XcodeGhost, then ZergHelper and now AceDeceiver. What we are seeing is a slow chipping away at Apple’s App Store security,” said Ryan Olson, director of threat intelligence for Palo Alto Networks, in an interview with Threatpost. AceDeceiver, he said, gives man-in-the-middle attackers access to iOS devices along with ability trick users out of their Apple IDs.

Olson said the AceDeceiver Trojan is also unique because it differs from previous iOS malware that abused legitimate Apple developer certificates to attack non-jailbroken Apple devices such as ZergHelper. This exploit does not. Instead, attackers are using a variation of the 2-year-old technique known as a “FairPlay Man-In-The-Middle” attack. According to Palo Alto’s report on the AceDeceiver, this iteration is the first used to install malicious apps on iOS devices without a user’s knowledge.

Those behind AceDeceiver are currently only targeting users in China, Palo Alto reports. But Olson points out, other geographic regions could be easily targeted as well.

According to researchers, attackers laid the groundwork for AceDeceiver months in advance. Between July 2015 and January 2016, Palo Alto said, attackers submitted three different flavors of AceDeceiver’s screen saver software to Apple’s App Store.

Palo Alto said the three apps were designed to trick Apple into supplying attackers with iTunes app authorization code that would later be used in tandem with a Windows application called Aisi Helper. Marketed exclusively to PC users based in China, Aisi Helper promotes itself as a utility for iOS users interested in iOS system backups and re-installation, jailbreaking, device management and system cleaning, Palo Alto said.

But when Windows users installed the Aisi Helper software on their PC and connected their iOS device to the same computer, attackers could surreptitiously install rogue apps onto iOS devices without the users’ consent. Attackers accomplished this by spoofing Apple’s FairPlay DRM handshake using their own AceDeceiver authorization server. This type of attack is called a “FairPlay Man-In-The-Middle” attack which was first uncovered in 2014.

When alerted to the AceDeceiver vulnerability in February, Apple removed the three apps. But, Palo Alto said the vulnerability was still exploitable via the Aisi Helper software. “As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps,” researchers wrote. Olson said the flaw in Apple’s DRM boils down to the fact its authorization can be used outside of the iTunes ecosystem.

Once installed on the users iOS device, the AceDeceiver apps can function as a third-party app store on users devices, according to researchers. The third-party app store is controlled by attackers and offers a variety of utilities and games. Users are also prompted to input their Apple IDs and passwords for unfettered access to free pirated iOS apps.

In February, Palo Alto researchers discovered a similar China-specific third-party app store that managed to slip past Apple App Store code reviewers. However, that incident involved an app named ZergHelper or XY Helper that abused a combination of Apple’s enterprise certificates and its Xcode 7 developer certificates.

In the case of ZergHelper, Apple was able snuff out the security hole by removing the app from its store. However, Olson said Apple will have a much more difficult time neutralizing the AceDeceiver Trojan because it relies on a Windows client software and uses once valid app authentication in tandem with FairPlay DRM design flaws.

Apple did not return Threatpost’s request for comment for this article.

Suggested articles

Operationalizing Threat Intelligence with User-Driven Automation

To truly achieve operationalized threat intelligence, an investment must be made in an underlying threat intelligence management platform that will enable an organization to harness the power of threat intelligence and translate that threat intelligence into action.

Cutting Through the Noise from Daily Alerts

Cutting Through the Noise from Daily Alerts

The biggest challenge for security teams today is the quality of the threat intelligence platforms and feeds. How much of the intel is garbage and unusable? Threat intelligence process itself spans and feeds into many external and internal systems and applications. Without actionable data, it is impossible to understand the relevance and potential impact of a threat. Learn how Threat Intelligence management plays a role to help prioritize and act fast.