Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 225,000 Apple Accounts Compromised Via iOS Malware

Posted by Soulskill on from the seems-like-small-potatoes-these-days dept.

An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Palo Alto researcher Claud Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."

27 of 217 comments (clear)

  1. Jail broken devices? by Anonymous Coward · · Score: 5, Insightful

    Only jail broken devices were affected. Anyone who jail breaks is aware of the risk they are taking.

    1. Re:Jail broken devices? by geogob · · Score: 4, Insightful

      Anyone who jail breaks is aware of the risk they are taking.

      I think they just heard me laugh all the way to China. Seriously, most people can't even grasp the concept of risk when think of software and operating systems. How in the world do you expect them to understand those risk?

      No. Contrary to some believes, most (as in almost) all jailbrokers have no clue what they do and have no idea of what are the risks involved and how important (or not) they are.

    2. Re:Jail broken devices? by BasilBrush · · Score: 2

      You're right, most of them don't have a clue. Yet they are still responsible for what they've done.

    3. Re:Jail broken devices? by Lord+Flipper · · Score: 2

      I can give you plenty of reasons for jailbreaking:..

      Thank you, AC. Finally, someone who actually knows something about the issue takes the time to respond.

      As for most of the rest of you...

      I've been jailbreaking my iPhones for years. Why? Simple aesthetic reasons, for the most part, and a few minor enhancements for keyboard layout, select/copy/paste routines, and minor, but very useful tweaks of the Control Center, App Switcher, OneTouch ID, Notifications, etc. Not to mention "hiding" some of the bullshit cruft "apps" that clutter up my situation.

      Apple, as usual, decides how the device will look and feel, and allows almost no "real" customization of the iPhone desktop, navigation, power switching (On/Off/Restart/Springboard relaunch), etc.

      I want... check that, demand... a transparent Dock, unlimited nested folders without that hideous gray background blur, no resource-killing "animations," no auto-redirect to "App Store," and a number of other personalized processes and "look and feel" adjustments that are ONLY available on the iOS to jailbroken hardware. Period.

      If kids, or old farts, for that matter, want to jailbreak so they can avoid paying... what(?) 99 cents or two bucks for some apps, and they get burned using some obscure Chinese software repository, who gives a fuck? I don't.

      I don't like my homescreen being cluttered up with icons. If Jonny Ive thinks that's cool, and Apple agrees to the point of not allowing the simplest, safe mods, well fuck him and them too. Once I buy the phone (outright, no subsidy), that bitch is mine.

      Pardon my french, you know, but it's bad enough we have to wade through all the fucking horseshit that does, indeed, exist in the JB "community," without having to listen to misinformed luddites, and chickenshits posturing about how bad it all is or how these "kids" you all speak of, get what you think they "deserve." If you're getting ready to chime in on moralistic bullshit, about a simple issue of choice, well then, fuck you, too, in advance.

      I feel better. Oh, and by the way, almost all of the serious root-level exploits that Apple has "patched," now, for years, have come courtesy of the JB underground. You're welcome... assholes.

  2. Headline leaves out one very important detail by berj · · Score: 5, Informative

    Headline leaves out the fact that this isn't just any old iOS malware. It affects only *jailbroken* devices.

    That's a pretty important distinction.

    1. Re:Headline leaves out one very important detail by Anonymous Coward · · Score: 2, Insightful

      Well, it's the same distinction that people miss on over 99% of android malware. The overwhelming majority of the malware is only viable on rooted devices and is spread via third-party app stores and "free" APK download sites.

    2. Re:Headline leaves out one very important detail by dimeglio · · Score: 5, Insightful

      Pretty much. That's the point of living in a walled garden. You break the wall, who knows what's going to step inside.

      --
      Views expressed do not necessarily reflect those of the author.
    3. Re:Headline leaves out one very important detail by berj · · Score: 4, Insightful

      Your ridiculous post borders on a tautology.

      It's true... if you bypass security measures then you're no longer secure.

      That's hard for you to understand?

      You expect the lock maker to be liable if you leave your door open?

    4. Re:Headline leaves out one very important detail by gstoddart · · Score: 4, Informative

      Oh, really?

      The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese â" the malware is distributed through third-party Cydia repositories in China

      The headline might leave it out, but the summary sure makes it plain.

      --
      Lost at C:>. Found at C.
    5. Re:Headline leaves out one very important detail by Anonymous Coward · · Score: 5, Insightful

      So, if I run OpenBSD, but replace OpenSSH with Bob'sSSH, and there is a security problem with Bob'sSSH, it's OpenBSD's fault?

    6. Re:Headline leaves out one very important detail by Applehu+Akbar · · Score: 5, Funny

      The technical term for jailbroken, insecure versions of iOS is "Android."

    7. Re:Headline leaves out one very important detail by gstoddart · · Score: 2, Insightful

      Would this be any different with Android or Microsoft?

      Root your device, and install software from unknown places ... and guess what ... it doesn't matter whose damned platform you're running.

      Hell, you can get malware from using download.com, cnet and other places too.

      News flash ... installing software from unknown sources can be a security risk no matter what your damned platform.

      Apple (or any other vendor) can't do a damned thing to protect your security when you go to great lengths to install software from sources you can't trust.

      --
      Lost at C:>. Found at C.
    8. Re: Headline leaves out one very important detail by fluffernutter · · Score: 2

      When I purchased my Android phone I wanted a true Open VPN client and native access to the filesystem. Fortunately I could do that without rooting it. On the contrary I would have had to root an iPhone to get those features.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    9. Re:Headline leaves out one very important detail by swillden · · Score: 5, Interesting

      I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

      It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

      As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

      This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

      Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

      I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

      [*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Headline leaves out one very important detail by macs4all · · Score: 2

      I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

      Oh, PUH-LEASE!!!

    11. Re:Headline leaves out one very important detail by swillden · · Score: 2

      The technical term for jailbroken, insecure versions of iOS is "Android."

      That's a common belief. In practice, I don't think it's true. In particular, although the Android world sees lots of announcements of vulnerabilities that affect X hundred million devices, the actual exploitation doesn't seem to follow. One reason is that many of the vulnerabilities aren't actually as widespread or are harder to exploit in practice than the researchers describe. Another is that the diversity of the Android ecosystem often means that an exploit has to be customized for each different manufacturer and model, making broad exploitation harder. A third is that Google is often able to successfully mitigate vulnerabilities with the Play store, Verify Apps and updates to the Play services app. There are other reasons as well.

      Whatever the reasons, it's interesting to note that we don't see reports of large numbers of Google accounts being compromised via Android vulnerabilities. I'm not claiming that's impossible, and it wouldn't shock me if it happened tomorrow, but the fact that we don't indicates to me that there is actually more right with the Android security situation than is commonly believed. The low real-world malware numbers disclosed in Google's Android security "State of the Union" report further buttress that view.

      (Disclaimer: I'm a member of Google's Android security team. I'm speaking only for myself, not for Google.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. Re:Rotten apple ?!? by Anonymous Coward · · Score: 5, Insightful

    Affect only jail-broken devices. How is the even relevant news?

  4. Re:Rotten apple ?!? by Anonymous Coward · · Score: 5, Insightful

    I'd argue that it's relevant news but I would also say that people who are employing hacks on their devices should realize that the original vendor can't be held accountable for shoddy modifications from a bunch of script kiddies.

  5. Never understand jailbreaking an Apple iOS device by Aqualung812 · · Score: 4, Insightful

    I'm an Apple iOS user, and a former Palm/Windows CE/Blackberry/Windows Phone/Android user.

    I simply don't understand jailbreaking an iPhone. The whole point of me having an iPhone is to take advantage of the walled garden.

    If I want something with better hardware on a lower price that I can customize any way I want, I'd have an Android again.

    Since having a reliable and secure phone is more important to me than features, I have have decided to get an iPhone and not jailbreak it.

    Can those that do jailbreak explain why they don't go to Android?

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  6. Re:Never understand jailbreaking an Apple iOS devi by brunes69 · · Score: 2

    If you had ever used a jailbroken iPhone and realized the capabilities it unlocks, you would change your mind.

    The idea that a jailbroken iPhone is more or less secure than an unjailbroken one is a fallacy. The people got this malware by downloading and installing pirated iOS applications that were infected with it - something that is ENABLED by jailbreaking. Just because a phone is jailbroken does not put it into some unsecure state, you have to do that yourself.

  7. Re:Never understand jailbreaking an Apple iOS devi by joh · · Score: 4, Informative

    Of course jailbreaking iOS puts it into some insecure state. Quite literally. Jailbreaking circumvents code signing for all code that runs on the device which means that every bit of code that makes its way onto the phone will happily run now. Also using the repositories means that you will install undocumented binary code from unknown people. Since you don't have the sources there is no way to check what this code does and since whoever wrote that code faces no risk when his code is discovered to be malware there's very little you can do after the fact.

    This is less secure than a device that is not jailbroken.

    I mean, do what you want to do by all means, but at least try to know what you're doing so you can correctly balance the risks and advantages you get by what you're doing.

  8. Re:Never understand jailbreaking an Apple iOS devi by Overzeetop · · Score: 2

    "android device last 3+ years with continued OS support and also not slow to a crawling POS"

    Well, that's difficult for iOS devices, too. iPhone 4 devices were sold until September 2013 and can't be updated to iOS 8, which was released in September 2014. One year to obsolescence. My daughter's iPod Touch stopped getting updates after about 2 years. Same with the iPad1 I have. (both were, admittedly, bough near the release of the next model).

    I actually gave up all my paid apps in iOS to move to Android. Compared to the cost of the phone, the apps really aren't that expensive. I'm running "last year's" version of the OS by choice - I just don't have time to mess with 5, and there are no clear advantages to me. As for hardware quality, I have not once thought "I like my G3, but it's just not built as well as the iPhone 5 it replaced". On the contrary - it's camera is wildly superior to my wife's 5s (she borrows my phone for taking pictures now), and it's got a plethora of other advantages.

    Now that I have a rooted Android phone, I can't imagine going back to even a jailbroken iOS device. I can just do more with it, and many apps in the official stores are written for those with root permissions so I don't have to go nosing around in Cydia to find apps that do things which Steve has forbidden.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  9. Re: Perhaps if Apple devices weren't so locked dow by fluffernutter · · Score: 2

    You talk as if there aren't an infinite amount of compromises in between. When I plug a device into USB I expect to be able to see and manipulate non privileged files. Why must an iPhone be rooted for that feature?

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  10. Re:Rotten apple ?!? by Noah+Haders · · Score: 5, Informative

    You buy an iPhone, you get your just desserts.

    I would say you jailbreak your iphone using software from unidentified hackers, then install software from unknown parties that can access root processes, you get your just deserts.

  11. Re:Never understand jailbreaking an Apple iOS devi by Aqualung812 · · Score: 2

    If you had ever used a jailbroken iPhone and realized the capabilities it unlocks, you would change your mind

    I'm aware of the capabilities it unlocks, but I'm just curious why I'd accept the lost stability, not just security, that happens when using an iPhone outside of the way it was designed.

    Apple is great at doing the things they intended you to do with the device. It is well known that if you try to use an Apple device in a way it wasn't designed for, it will be frustrating and difficult.

    You're swimming upstream on a jailbroken Apple iOS. Why not use an Android, which was designed with a totally different and open mentality?

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  12. Re:Never understand jailbreaking an Apple iOS devi by flopsquad · · Score: 2

    There are quite a few nifty features and tweaks available to a JB device that aren't possible on stock iOS. As others have mentioned, finer grained OS controls like f.lux, the ability to actually interact with the filesystem (on the device or plugged in), disallowed apps like emulators, removing stock apps, etc. It drove me nuts that on my first iPhone, I could silence every singe sound and vibration--but every time I plugged it in, it buzzed at me. I had to jailbreak to get rid of that.

    As another poster stated, Apple are kind of design fascists. Phones, they decided for me, are just too small to support many of the multitouch gestures that the iPad uses. Jailbreak and you can have that (very useful, IMHO) functionality back. The quick access buttons are the ones they decide you need. Jailbreak and you can choose from a huge set of functions that, again, are really handy to be able to toggle quickly. I was turning certain device features (BT, hotspot, invert, etc) on and off frequently enough that creating buttons for them made a huge difference in user experience.

    Many of those features would be trivial for Apple to implement as advanced settings (hell, solitary coders are writing this stuff and giving it away for free), and not against the Apple ethos (unlike, say, emulators). But for now you have to expose yourself to security risks in order to do all this useful stuff with your expensive pocket computer.

    And Android is its own bag of cats. I've been in that bag with those cats and it's a longer story that I have time to write about here. Suffice it to say that not everything in the Adroidverse as universally open and moddable as it might appear from the iSide.

    --
    Nothing posted to /. has ever been legal advice, including this.
  13. J.A.I.L.B.R.O.K.E.N. by gumbright · · Score: 2

    "Jailbroken" needs to be in the title of this story and and in the first sentence. It is the critical factor to the story. Not having it there simply makes this a troll.