1 September 2015

Your jailbroken iOS device may be compromised

In cooperation with WeipTech, a technical group consisting of users from Weiphone, Palo Alto Networks, the security company, has identified 92 samples of a new iOS malware family that is currently active.

The malware, named KeyRaider, targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China. In total, it appears this threat may have impacted users from 18 countries including China, Singapore, Japan, South Korea, and Australia. Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.

Palo Alto Networks estimates that the 225,000 valid Apple accounts with passwords stored in on a server is the largest Apple account theft caused by malware. The malware steals Apple account usernames, passwords and other sensitive information by intercepting iTunes traffic on the device. The data is used to download applications from the official App Store and make in-app purchases without actually paying. According to Palo Alto Networks, around 20,000 users are abusing the 225,000 stolen credentials.

Source: Palo Alto Networks blog.
Phone held for ransom.
Palo Alto Networks and WeipTech have provided services to detect the KeyRaider malware and identify stolen credentials. 
WeipTech has provided a query service in their website for potential victims to query whether their Apple accounts have been stolen. 

Palo Alto Networks has also protected its customers. The company also suggests that all affected users change their Apple account password after removing the malware, and that they enable two-factor verification for Apple IDs.


The Palo Alto Networks blog post lists a method to check if an iOS device is infected (search for the phrase 'protection and prevention')