Threat Intelligence

September 2, 2015

min read

KeyRaider: Simplified

The recently revealed KeyRaider is yet another proof point that malicious actors are looking to tinker with iOS.

It’s a piece of malware that affects jailbroken iOS devices and was distributed through a Chinese repository which could be used by Cydia users. Because of this, its exposure was relatively limited.

KeyRaider’s goal is to allow anyone with a jailbroken device running specific instances of KeyRaider to spoof in-app purchases without having to pay, and download paid apps from the Apple App Store, though we haven’t been able to definitively confirm this functionality.

The tool effectively lets people steal from both Apple and mobile developers, and while that’s shady enough, it actually does this by pilfering and using other people’s legitimate Apple account information. It can be thought of as having two sides: some components provide the promised in-app purchase spoofing functionality while others may steal Apple account information, according to researchers from Weip Tech working with Palo Alto Networks.

These researchers recently compromised a server associated with KeyRaider and found information for 225,000 stolen Apple accounts. It is not clear whether the malware creator(s) acquired all 225,000 stolen accounts through KeyRaider or if some of them were otherwise accessed in order to support the in-app purchase theft.

The data included both usernames and passwords, according to the researchers. As a result, the malware uses the legitimate Apple account to let others buy in-app purchases “for free.” We believe some of the KeyRaider components focused on gathering account information, while other components used that information to provide the functionality. Specifically, there are two instances called iappinapp and iappstore that performed the in-app purchase spoofing.

KeyRaider highlights the mobile industry’s concerns around jailbreaking. It shows both that the jailbreaking environment can more easily support piracy operations such as KeyRaider, as well as surreptitious data collection on iOS. On the other hand, jailbreaking can also be an asset, helping people customize their device or tinker with it to make it better. The benefits are generally reaped by those who know what they’re doing and can do it safely. If you don’t have a firm grasp on mobile technologies we recommend not jailbreaking.

Anyone with an Apple account running a jailbroken device should consider changing their AppleID password. It’s worrisome when any login details are stolen, but especially those that open the door to an iCloud account, which has access to backed up photos, texts, emails, contacts, and more sensitive data. For an enterprise running a BYOD program, this could put company data at risk as well.

Enterprises should be aware of any jailbroken devices on the corporate network. This is one example of the problems that can pop up when a user (or an employee) isn’t paying close attention to what they’re downloading, especially in a jailbroken environment. Stolen credentials can spell trouble for anyone.