How the Keyraider Malware is Busting iPhone Jailbreakers

iPhone users have been jailbreaking their phones to access apps from the Apple store for free and unlock their phones’ capability to install third party applications. While this has been fairly beneficial,  it has exposed them to a malicious software, KeyRaider, that steals their identities among other things. Unfortunately, and rather interestingly, Apple Inc. cannot help these clients because the affected jailbroken phones prevent Apple security systems from accessing them.

Distributed by Cydia repositories, an online repository for apps designed to run on jailbroken phones, KeyRaider busts iPhone jailbreakers in a number of ways.

Data Robbing

According to Palo Alto Networks’ Unit 42, 225,000 valid Apple accounts originating from 18 countries such as China, countless purchasing receipts, certificates and private keys have been stolen by the KeyRaider malware. This cyber-crime was discovered when Palo Alto Network, alongside WeipTech, were analyzing suspicious user-reported iOS tweaks.

The malware is incorporated into software packages or jailbreak tweaks that allow new functions to run in iOS. Allegedly, a user using the username ‘mischa07’ seeds the malware into his personal app repository where the username serves as an encryption and decryption key for the malware.

The malicious software helps jailbreakers tune their systems, cheat on games and remove advertisements from applications. However, unknown to the jailbreakers is the fact that the malware also stealthily steals their identities to make purchases on behalf of other users.

Holding Users For Ransom

The malware has been reported to have made a ransomware attempt whereby, it locally disables any kind of phone unlocking operations, with or without the correct pass codes. This was realised after a user reported that his phone was unexpectedly locked and instructed him to contact someone over the QQ instant messaging service.  Upon further investigation, WeipTech found a command-and-control server used by the attackers to communicate with jailbroken phones in order to steal their account information. Unfortunately for the iPhone users, only half of these accounts were recovered before the attackers fixed this vulnerability.

Additionally, by using the stolen private key and certificate, the malware can hold the user for ransom. It sends a notification demanding the same without going through the Apple Server, rendering known ‘rescue’ procedures ineffective.

Other Similar Malware

MobileSubstrate APIs were abused by the KeyRaider malware by hooking arbitrary APIs in other iOS apps and system processes. This was an excellent platform given its history of hosting malwares. Unflod-also known as Unfold Baby Panda or SSLCreds- for example, used this platform to intercept SSL encrypted traffic and steal Apple account passwords. This malware was found by Reddit users and upon analysis by SektionEins, its operations were understood. In 2014, another malware, AppBuyer was discovered using the same platform and technique Unflod used to by apps from the App Store and steal user passwords. KeyRaider used these same techniques and took them a step further.

Jailbreaking is definitely a double-edged sword, opening up users to a world of free and unlimited apps but also to greater security threats. Consequently, WeipTech, an online service, has been set up to help people see if their accounts have been affected.