KeyRaider Steals iPhone Credentials for App Purchases

A new iOS malware family, dubbed “KeyRaider,” has been found in the wild. It appears to be behind the largest known Apple account theft caused by malware to date.

The goal is to allow the perpetrators to download applications from the official App Store using someone else’s credentials and payment methods, and make in-app purchases.

KeyRaider, which appears to be used by 20,000 users, targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China, according to Palo Alto Networks. It steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

So far, 92 samples have been identified, at least 225,000 valid Apple accounts with passwords have been compromised, and thousands of certificates, private keys and purchasing receipts have been stolen. The threat may have impacted users from 18 countries, including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device,” Palo Alto explained in an analysis. “Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.”

Palo Alto Networks and WeipTech have provided services to detect the KeyRaider malware and identify stolen credentials. 

What’s Hot on Infosecurity Magazine?