Categories
iOS News security Software

KeyRaider malware steals credential information for 225,000+ jailbroken iOS devices

trojanhorse

The bad news is that more than 225,000 Apple IDs and passwords were taken from assorted iPhones via a chunk of malware dubbed “KeyRaider”, which can also remotely lock iOS devices in order to hold them to ransom.

The good news is that this only occurred with jailbroken iOS devices and probably didn’t happen to you.

According to reports, the KeyRaider software will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.


The upside is that the malware can only run on jailbroken devices, and appears to spread through only one set of Cydia repositories, run by Weiphone.

The malware was run in two software tweaks that allowed their users to download paid apps as well as make in-app purchases from the App Store for free. These tweaks used stolen credentials to make the purchases.

Users can use the following method to determine by themselves whether their iOS devices was infected:

Install openssh server through Cydia
Connect to the device through SSH
Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
wushidou
gotoip4
bamu
getHanzi
If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

As always, if you suspect your account’s been compromised, check your recent credit and debit card statements, change the password for your Apple ID and enable two-factor verifications for Apple IDs.

Finally, it’s been noted that not jailbreaking iOS devices is the only way to protect against such exploitation.

Via 9to5Mac and Re/code