The malware, which Palo Alto Networks dubbed, “KeyRaider,” compromises jailbroken iOS devices and is distributed through third-party Cydia repositories throughout China. Cydia is software that finds and installs other software on jailbroken iOS devices.
KeyRaider didn't just steal over 225,000 Apple accounts. It also confiscated thousands of certificates, private keys, and purchasing receipts, according to Palo Alto Networks.
The malware executes the following behaviors:
- Steals Apple account (user name and password) and device GUID
- Steals certificates and private keys used by Apple Push Notification Service
- Prevents the infected device being unlocked by passcode or by iCloud service
As if those actions aren’t bad enough, KeyRaider also has built-in functionality to hold iOS devices for ransom. Palo Alto Network states that “One victim reported that his phone was locked while prompted message in screen is 'Please contact by QQ or phone to unlock it.'"
Palo Alto Networks also issued this caution:
With a victim’s Apple account and password, attackers can launch all kinds of additional attacks. For example, they can control the device through iCloud and compromise the victim’s private data contained in their iMessage logs, contacts, photos, emails, documents and location. In 2014, for example, many celebrities’ iCloud accounts were hacked and photos leaked, which raised awareness of the threat from stolen Apple account credentials.
In addition, hackers can use stolen Apple IDs for numerous money-making schemes including using hacked accounts to promote their own apps in the App Store, purchasing apps with other users’ IDs, selling stolen IDs to spammers and wreaking all other kinds of havoc.
Some victims have already reported that their stolen Apple accounts show abnormal app purchases and others claimed their phones have been held for ransom.
Apple has yet to address Palo Alto Network’s finding via a statement or press release, but Palo Alto Networks offers the following advice for protecting your Apple ID from a KeyRaider attack:
Our primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your iPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict security checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk.
We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.