Jailbreaking your iPhone may seem like a good idea, and there certainly are plenty of reasons to do it. Customised themes, added features, there is almost no end to the fun available to the brave iPhone user that decides to throw away their warranty in favour of a jailbreak. Now however, jailbroken iPhones have fallen victims to what security company Palo Alto Networks says is the largest Apple account theft ever.
The hack is carried out with a piece of malware called KeyRaider. Luckily for most iPhone users, KeyRaider exclusively hacks jailbroken phones – iPhones that have had their firmware tampered with to give the owner access to its inner file systems.
For the most part, KeyRaider is encountered on Chinese websites where you can download applications for jailbroken phones. Recently however, it has been spread well beyond its usual scope into 18 countries, including the US. According to Palo Alto, who discovered the malware in cooperation with Chinese firm WeipTech, KeyRaider has stolen the records of around 225,000 valid Apple accounts and thousands of certificates, private keys and purchase receipts.
Jailbroken phones are also still able to buy applications from Apple’s App store (using the account with which the iPhone was purchased). It is here that some people with jailbroken iPhones have encountered a problem. One of KeyRaider’s features allows the hacker to use the targeted Apple account to purchase apps illegitimately, at a cost to the owner. Other people have reported their whole iPhone being locked up remotely, with no hope of having it unlocked unless they pay a ransom.
Palo Alto informed Apple of the partial database that a student from Yangzhou University (who works for WeipTech) had managed to recover on August 26. Working in cooperation, the two parties brought the problem to Apple’s attention as quickly as possible. Writing in a blog post, Claud Xiao of Palo Alto Networks said,
“We believe this to be the largest known Apple account theft caused by malware.”
KeyRaider was spread maliciously through a particular upgrade for jailbroken phones that was disseminated through the Weiphone forum for jailbreaks. A key suspect at the moment is a Weiphone forum member called ‘mischa07’, whom it is thought may have spread the malware by seeding KeyRaider into Apps in his personal folder. The reason for this suspicion is the discovery that the encryption and decryption keys for the malware in circulation is also mischa07.
So far little is known about the user, but by analysing files in mischa07’s Weiphone folder, Palo Alto was able to verify that the forum member had indeed uploaded various ‘tweaks’ for iPhones. These include ones to help people cheat on games, hide adverts and personalise their systems.
In the blog Xao explains how KeyRaider can be used to lock a phone for ransom, describing that the malware can ‘locally disable any kind of unlocking operations, whether the correct passcode or password has been entered.’ One iPhone user reportedly received a message that told him to make contact via the QQ messaging service if he wanted to get his smartphone unlocked.
According to Xao, the server that was discovered by WeipTech communicates with KeyRaider by intercepting communications going from Apple to the phone and Vise-Versa, simultaneously setting up a database of stolen information. It was from this database that WeipTech was able to recover the details of over 225,000 stolen accounts. Unfortunately, only half of the stolen accounts’ info was recovered before the vulnerability in the attackers database was locked up, ending WeipTech’s ability to gather stolen data.