KeyRaider infects 'jailbroken' Apple iPhone users in 18 countries

News by Adrian Bridgwater

As many as 225,000 Apple iPhone users have had their account details hacked in what is said to be the biggest attack of its kind against the firm's user base.

As many as 225,000 Apple iPhone users have had their account details hacked in what is said to be the biggest attack of its kind against the firm's user base.

The arrival of KeyRaider, a new strain of malware identified by researchers at Palo Alto Networks, affects only jailbroken devices, researchers at Palo Alto Networks said.

Some victims have seen their now stolen Apple accounts showing abnormal app purchasing behaviour and history. Other users have reported incidents where their phones have been ‘held for ransom' as monetary demands are received.

The distribution of KeyRaider malware has been traced to 18 countries so far including the United Kingdom, United States, China, France, Russia, Japan, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

Chinese third-party dangers

Apple users have ‘contracted' KeyRaider by downloading applications from third-party app stores not controlled by Apple, such as Cydia which locates its repositories in China.

According to Palo Alto Networks, this malware hooks system processes through MobileSubstrate to steal Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device. 

“KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information and disables local and remote unlocking functionalities on iPhones and iPads,” the Palo Alto team wrote.

The researchers also specified that this malware can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple's push server.

Apple: sour or still sweet?                            

Alert Logic chief security evangelist Stephen Coty suggests that although this may be a big hack against the iPhone, it really is not a hit on Apple's reputation since it only affects jailbroken iPhones.

“This means if you have unlocked from the Apple-only network, you can then buy downloads from other sources other than Apple's official App Store and use previously locked functions of the phone such as command line interfaces and Wi-Fi scanning capabilities. If you have jailbroken your iPhone, you are turning the phone into a potential portable hacking device that fits in your hand,” Coty told SC.

Coty added that what ‘seems to be cool' about the KeyRaider malware is that it not only scraps your account data, but it also can lock your phone very similarly to ransomware that has been plaguing many individuals across the world.

KeyRaider is unique in that it holds devices captive in a way that is different from previous iOS ransom attacks. In email correspondence with SCMagazineUK's sister publication in the US,, Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks, explained the best way for a user to recover their device should they become a victim.

“If they have OpenSSH already installed on the device, log in and delete the malware using the instructions in the blog. If they don't already have OpenSSH installed, it's going to be much more challenging to get around this particular ransomware,” he said. “The standard Apple password reset and rescue are not going to function properly with this attack.”

David Gibson, VP of strategy and market development at Varonis thinks that when people jailbreak their iPhones, they usually know they are trading some security for flexibility. “That's kind of the point,” he said.

Gibson added, “You get root access to the iPhone and the flexibility to install software that hasn't been approved by Apple but you also run a greater risk of getting malware on your phone. Balancing security with flexibility and productivity is a tricky thing, and today's news shows how difficult it is for consumers to maintain that balance on their own."

Palo Alto Networks credited a member of the Weiphone Tech Team with identifying the attack, and explained in the post that Weiphone Tech Team began investigating in July after hearing reports that Apple accounts were being used to make unauthorised purchases. Palo Alto Networks also noted in the post that one user claimed their phone was held for ransom.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews