September 2, 2015

KeyRaider: Simplified

The recently revealed KeyRaider is yet another proof point that malicious actors are looking to tinker with iOS.

It’s a piece of malware that affects jailbroken iOS devices and was distributed through a Chinese repository which could be used by Cydia users. Because of this, its exposure was relatively limited.

KeyRaider’s goal is to allow anyone with a jailbroken device running specific instances of KeyRaider to spoof in-app purchases without having to pay, and download paid apps from the Apple App Store, though we haven’t been able to definitively confirm this functionality.

The tool effectively lets people steal from both Apple and mobile developers, and while that’s shady enough, it actually does this by pilfering and using other people’s legitimate Apple account information. It can be thought of as having two sides: some components provide the promised in-app purchase spoofing functionality while others may steal Apple account information, according to researchers from Weip Tech working with Palo Alto Networks.

These researchers recently compromised a server associated with KeyRaider and found information for 225,000 stolen Apple accounts. It is not clear whether the malware creator(s) acquired all 225,000 stolen accounts through KeyRaider or if some of them were otherwise accessed in order to support the in-app purchase theft.

The data included both usernames and passwords, according to the researchers. As a result, the malware uses the legitimate Apple account to let others buy in-app purchases “for free.” We believe some of the KeyRaider components focused on gathering account information, while other components used that information to provide the functionality. Specifically, there are two instances called iappinapp and iappstore that performed the in-app purchase spoofing.

KeyRaider highlights the mobile industry’s concerns around jailbreaking. It shows both that the jailbreaking environment can more easily support piracy operations such as KeyRaider, as well as surreptitious data collection on iOS. On the other hand, jailbreaking can also be an asset, helping people customize their device or tinker with it to make it better. The benefits are generally reaped by those who know what they’re doing and can do it safely. If you don’t have a firm grasp on mobile technologies we recommend not jailbreaking.

Anyone with an Apple account running a jailbroken device should consider changing their AppleID password. It’s worrisome when any login details are stolen, but especially those that open the door to an iCloud account, which has access to backed up photos, texts, emails, contacts, and more sensitive data. For an enterprise running a BYOD program, this could put company data at risk as well.

Enterprises should be aware of any jailbroken devices on the corporate network. This is one example of the problems that can pop up when a user (or an employee) isn’t paying close attention to what they’re downloading, especially in a jailbroken environment. Stolen credentials can spell trouble for anyone.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Entry Type
Threat Guidances
Entry Type
Threat Summary
Platform(s) Affected
iOS
Threat Type
Malware
Platform(s) Affected
Threat Guidances
Threat Summary
iOS
Malware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell