KeyRaider malware stole over 225,000 Apple credentials from jailbroken iOS devices

A new iOS malware targeting jailbroken Apple devices has pulled off the "largest known Apple account theft caused by malware."

ios devices
Blake Patterson (Creative Commons BY or BY-SA)

If you have a jailbroken iOS device, then you are a target of a new malware that has successfully stolen credentials for over 225,000 Apple accounts. The malware was dubbed KeyRaider since “it raids victims’ passwords, private keys and certificates.”

Although KeyRaider malware only targets jailbroken iOS devices, it has resulted in the “largest known Apple account theft caused by malware,” according to Claud Xiao of Palo Alto Networks. KeyRaider is believed to have impacted users from 18 countries including China, United States, United Kingdom, Australia, Canada, France, Germany, Japan, Italy, Israel, Russia, Singapore, South Korea and Spain.

The attacker used decent bait, adding KeyRaider to jailbreak tweaks that supposedly allow users “to download non-free apps from Apple’s official App Store without purchase” and “to get some official App Store apps’ In-App-Purchasing items totally free.”

Palo Alto Networks added:

These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

KeyRaider has also been incorporated into ransomware to “locally disable any kind of unlocking operations, whether the correct passcode or password has been entered.” One user reported being locked out of his phone; his screen displayed a message to contact the attacker over the QQ instant messaging service or to call a number to unlock it.

Keyraider ransomware Palo Alto Networks

KeyRaider rolled into iOS ransomware. 

The malware is being distributed through third-party Cydia repositories in China; the researchers identified 92 samples in the wild. Following the trail back to the command and control server where KeyRaider uploads the stolen data, users from the WeipTech amateur technical group discovered the server “itself contains vulnerabilities that expose user information.” And that is how they hacked the hacker, by exploiting an SQL vulnerability in the attacker’s server.

They found a database with “225,941 total entries.” About 20,000 entries included “usernames, passwords and GUIDs in plaintext,” but the remaining entries were encrypted. Besides successfully stealing more than 225,000 valid Apple accounts, KeyRaider has also stolen “thousands of certificates, private keys, and purchasing receipts.” They managed to download about half of “the entries in the database before a website administrator discovered them and shut down the service.”

Researchers believe Weiphone user “mischa07” is the author of the new malware as his username was “hard-coded into the malware as the encryption and decryption key.” He also uploaded “at least” 15 KeyRaider samples to his Weiphone personal repository. Weiphone, “unlike other Cydia sources,” gives each registered user “private repository functionality” so they can “directly upload their own apps and tweaks and share them with each other.”

When the Wei Feng Technology Group blogged about KeyRaider, it included the email sent to Apple CEO Tim Cook. The group informed Cook that the malicious app is “backdoored to record and send iCloud ID and password” to the attacker’s server and attached a list of 130,000 Apple IDs; the team then reported that it had “deliberately leaked the account list” to Apple and that “Apple will actively cooperate with the investigation of the incident.”

WeipTech email about KeyRaider to Apple CEO Tim Cook WeipTech via

Weiphone Tech team's email informing Apple CEO Tim Cook of new iOS malware KeyRaider. 

Before Palto Alto wrote about KeyRaider, Xiao said the new malware was reported to a Chinese vulnerability crowdsourcing site as well as to China’s National Internet Emergency Center (CNCERT).

WeipTech set up a query service for users to check if they have been compromised; if the jailbroken device/iOS account is not affected, users will receive a message similar to this translation: “Congratulations to this inquiry did not find matching account, but not all of the data cannot be taken lightly. However, we still recommend that you change your password, open two-step verification.”

Palto Alto also advised affected users to change their Apple account password after removing the malware, to enable two-factor verification for Apple IDs, and to steer clear of jailbreaking. Xiao wrote:

“Our primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your iPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict security checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk.”

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon