A new iPhone malware, dubbed AceDeceiver, does pretty much what its name would suggest: it’s a master of tricking iOS into thinking it’s legit, thus gaining install unbeknownst to the user.
Palo Alto Networks has identified the baddie, which exploits design flaws in Apple’s DRM mechanism, FairPlay, tricking iOS devices into believing that a malicious app was purchased by the victim, thus allowing its installation. It’s essentially a variation on a man in the middle (MiTM) attack, and it works by taking advantage of the fact that Apple allows users to purchase and download iOS apps from their App Store through the iTunes client running in their computers.
“[The] technique uses a man-in-the-middle attack, meaning that credentials are stolen, uploaded, used to obtain copies of applications from the App Store, which are then installed by a helper Windows application when the iOS device is connected to it,” explained Guillaume Ross, senior security consultant, Strategic Services, Rapid7, in an emailed comment. “The helper application claims to provide tools to manage iOS devices. Avoiding third party app stores, jailbreaking tools, as well as never connecting iOS devices to untrusted USB ports can limit the impact this vector can have. Again, for individuals or organizations looking to improve the security of their iOS devices, it is possible to configure them to prevent pairing to computers completely."
After creating a custom piece of software to re-use the stolen code, the user can install apps they never actually paid for, which is useful for those bent on piracy. But it also allows the creator of the software to install potentially malicious apps without the user’s knowledge.
“This has been used since 2013 to spread pirated iOS apps, but this is the first time we’ve seen it used to spread malware,” said Palo Alto’s Claud Xiao, in an analysis.
Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps, he said. These apps successfully bypassed Apple’s code review at least seven times (including the first time each was uploaded and then four rounds of code updates, which require an additional review by Apple for each instance).
“Apple removed these three apps from the App Store after we reported them in late February 2016,” Xiao said. “However, the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps.”
He added, “It hasn’t been patched and even when it is, it’s likely the attack would still work on older versions of iOS systems.”
For now, AceDeceiver only affects users in mainland China. The bigger issue, however, is that AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices.
“As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique,” Xiao said, noting that the new attack technique is more dangerous than previous ones since it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.
Apple has been hit hard with cyber-issues of late. Earlier this month, the first full-fledged ransomware threat for the Apple Mac platform was detected. Palo Alto Networks uncovered the KeRanger malware, which lurks in the Transmission BitTorrent client installer for OS X. If a user installs the infected app, an embedded executable file is run on the system. Like other crypto-ransomware, it sets about encrypting certain types of document and data files on the system, locking them down—and then demands a ransom payment in return for the de-encryption key. In this case, KeRanger demanded that victims pay one bitcoin (about $400) to a specific address to retrieve their files.
Interestingly, KeRanger waits for three days before connecting with command and control (CnC) servers, which it does over the Tor anonymizer network; It’s only after that that it begins the encryption process. This is likely an effort to obfuscate its attack vector.
Photo © Alexey Boldin/Shutterstock.com