Security Market Segment LS
Monday, 31 August 2015 14:16

Massive Apple account theft from new malware hit on iOS Featured

By
Massive Apple account theft from new malware hit on iOS

What is believed to be the largest known Apple account theft caused by malware has been reported after the discovery of 225,000 stolen valid Apple accounts with passwords stored on a server.

A technical group, WeipTech, consisting of users from Weiphone - one of the largest fan websites in China - found the Apple accounts on a server as they were analysing suspicious iOS tweaks reported by users.

Now, in cooperation with WeipTech, Palo Alto has said it has identified 92 samples of a new   malware family in the wild, naming the culprit malware responsible for the Apple account theft, “KeyRaider”.

“We believe this to be the largest known Apple account theft caused by malware,” says Claud Xiao in his blog posted on the Palo Alto website.  
According to Palo Alto, the Key Raider malware may have impacted users in Australia and 17 other countries, including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Israel, Italy, Spain, Singapore, and South Korea.

Xia says Key Raider targets jailbroken iOS devices, is distributed through third-party Cydia repositories in China, and has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts – “uploading stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.”

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.

“These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.”

According to Xia, some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.

Explaining how it works, Xia says the malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

Palo Alto and WeipTech have now provided services which they say will detect the KeyRaider malware and identify stolen credentials.

Read 11745 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




EXL AI IN ACTION VIRTUAL EVENT 20 MARCH 2025

Industry leaders are looking to transform their businesses and achieve measurable outcomes with AI.

As organisations across APAC navigate the complexities of AI adoption, this must-attend event brings together industry leaders, real-world demonstrations, and visionary panel discussions to bridge the gap between proof-of-concepts and enterprise-wide AI implementation.

Learn how to overcome common challenges in deploying AI at scale.​

Unlock cost savings, efficiency, and better customer experiences with AI.

Discover how industry expertise and data intelligence enable practical AI deployment.

Register for the event now!

REGISTER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under
Peter Dinham

Peter Dinham - retired in 2020. He is a veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).

Latest from Peter Dinham

Related items

More in this category: « Spammers take advantage of Ashley Madison data breach Is KeyRaider a cautionary tale or a bigger issue? »
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top

Subscribe to Newsletter

*  Enter the security code shown: img0

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments