A new form of malware called "KeyRaider" is affecting jailbroken iPhones by stealing the user's Apple Accounts, certificates, private keys and more and using them to download apps from App Store for other users.
Jailbreaking your iPhone circumnavigates Apple's strict rules and regulations, allowing you to install and run apps that you wouldn't normally be able to. It can also be used in some cases to download apps you'd normally pay for, for free - or in other words: stealing.
Malicious users have now found a way to target jailbroken handsets, with the KeyRaider malware stealing over 225,000 Apple accounts from users in 18 countries including China, where the bulk of the affected users are from, as well as France, Russia, Japan, United Kingdom, United States, Canada, Germany and Australia.
We got in touch with the Symantec Security Response team, who told us that "a possible reason why China is disproportionately affected by this problem is highlighted by a huge appetite for third-party app stores among Chinese owners of iOS devices.
"Once you point your device to other murkier corners of the internet to download apps, you run a disproportionate risk of becoming impacted by malware and other nastiness."
KeyRaiders of the lost app
The KeyRaider malware uses a security loophole in Jailbroken handsets to steal usernames, passwords and iTunes traffic and also disables local and remote unlocking functionalities, and it's spread through Weiphone's Cydia repositories. So if you use Weiphone to jailbreak your device, you could be at risk.
It then uploads the stolen data to a command and control server. When other uses want to "buy" an app without paying, the stolen Apple Account data is used instead.
Victims of KeyRaider have reported that their app purchasing history tied to their Apple account shows purchases they have not made – while others are claiming their iPhones are being held ransom, with malicious users remotely locking their devices and asking for payment to unlock them.
According to Palo Alto Networks researchers who have been looking into the KeyRaider malware, a number of apps have been uploaded by a user they believe is the creator of KeyRaider, including iappstore and iappinbuy.
Due to the inherent security risks and dubious ethics of downloading paid apps without paying for them, we wouldn't recommend jailbreaking your iPhone. But if you have, it is best to make sure you don't go anywhere near those two apps, and to keep an eye on your iTunes purchase history.
The Symantec Security Response team agrees, telling us that "Symantec advises users against jailbreaking their devices as it can seriously impact security and is against the usage policies of the product.
"Users should also only install apps from trusted sources. Trusted app stores, such as Apple's, have a rigorous vetting policy in place to prevent malicious apps from appearing in the ecosystem."
The malware only affects users with jailbroken iPhones, so if you have a normally functioning iPhone that runs the way Apple intended, you're safe.
If you think your account is compromised, you'll need to follow the instructions at Pal Alto's website to remove the infected files, then change your password and enable two step verification for your Apple ID.
