Skip navigation
industry news

iOS Malware Leverages Jailbroken Devices to Steal Apple Account Info

A new form of iOS malware leverages jailbroken Apple devices, stealing Apple account information, private keys and certificates.

According to Threatpost, China-based researchers, the WeipTech team found a database containing more than 200k plaintext usernames and passwords of Apple account users that had been compromised.

This user data was collected and uploaded to a remote server, then used to make unauthorized purchases. Working with WeipTech, Palo Alto Networks researchers also discovered 92 samples of a new iOS malware family in use.

By intercepting iTunes traffic on the device (leveraging Cydia or Mobile Substrate), KeyRaider steals Apple push notification service certs and private keys, as well as App Store purchasing data.

Plus, the malware has the capability to disable local and remote unlocking functionalities on iPhones and iPads, according to a Palo Alto Networks blog. The malware can be used in a ransomware-style attack, meaning the attacker can lock a person’s phone and even send them a push notification message about how to recover their phone. reported that KeyRaider has been incorporated into jailbreak tweaks - that is, software packages that allow for a new function to be run on iOS. The tweaks allow attackers to intercept app purchase requests as well as emulate the iTunes protocol to log into Apple’s server and buy apps or other items, as evidenced by users with atypical purchasing histories.

Protecting Personal and Work Accounts

How can you protect your Apple accounts? Palo Alto Networks has released DNS signatures to prevent KeyRaider malware from relaying credentials in protected networks, and WeipTech also allows you to search and see if your account was compromised.

Both companies strongly recommend enabling two-factor authentication for iCloud accounts/Apple IDs.

But the primary recommendation from Palo Alto Networks warns against jailbreaking iOS devices in order to prevent the risk of compromise by KeyRaider or other malware:

...never jailbreak your iPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict security checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk.

You never know what kind of malware accompanies a tweak for jailbroken phones, so it’s possible that you’ve downloaded some already. This isn’t just a security problem for individuals with Apple ID accounts, but could potentially introduce risks to enterprise organizations too, particularly those that allow employees to use personal devices for work purposes.

The effects of stolen personal credentials often crossover to workplace application logins, as users often reuse or recycle passwords across many different accounts. Without two-factor authentication protecting all of these accounts (work and personal), an attacker can easily cross-reference a username and password on another website to log into company resources.

Endpoint Security Starts With Visibility

So how can companies protect their users and their intellectual property and other sensitive business data? Not only by enabling two-factor authentication, but by also using a tool that gives them insight into the devices authenticating into their network.

Mobile Device Insight

Endpoint security starts with visibility - collecting data on the iOS devices in your environment that are jailbroken is a step in the right direction. Administrators can identify vulnerable devices that may have KeyRaider installed and isolate or otherwise mitigate the risk.

Keep Out Any Jailbroken Devices

Going a step even further, with authentication policies and controls, administrators should be able to block any jailbroken iOS devices from authenticating into their environment. With Duo Security’s Platform Edition, you can get detailed device data and enforce these types of policies and controls - without using an agent or mobile device management (MDM) client:

Platform Policy and Controls

Needless to say, KeyRaider is not the first iOS malware and won’t be the last. Last week, another iOS vulnerability revealed that user credentials, server information and configuration settings were stored in an unprotected directory by many mobile device management (MDM) applications. Apple patched this in their latest update, 8.4.1, but anyone running older OS versions may be vulnerable.

Getting visibility into what kinds of devices you’re dealing with as well as the ability to keep them out of your environment can help reduce the risks associated with any type of iOS malware that leverages outdated OS or jailbroken devices. Learn more endpoint and mobile security with our Duo Access.