Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find iOS Malware That Infects Non-Jailbroken Devices (paloaltonetworks.com)

Posted by msmash on from the rotten-apple dept.

An anonymous reader writes: Researchers at Palo Alto Networks are reporting about a new iOS malware that could infect non-jailbroken devices without a user's consent. Dubbed "AceDeceiver," the iOS malware exploits a flaw in Apple's DRM software. The researchers claim that the iOS malware could technically infect any type of iOS device, provided a user downloads a third-party app. From the blog post on Palo Alto Networks' website, "AceDeceiver is the first iOS malware we've seen that abuses certain design flaws in Apple's DRM protection mechanism -- namely FairPlay -- to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called "FairPlay Man-In-The-Middle (MITM)" and has been used since 2013 to spread pirated iOS apps, but this is the first time we've seen it used to spread malware." The aforementioned malware required users to download a compromised Windows application. Apple has removed three offending apps from the App Store, and it appears that only users in China were targetted.

39 comments

  1. Mr. Vild style horses by Anonymous Coward · · Score: 0

    couldn't drag me away...

  2. it's easy to do by turkeydance · · Score: 1

    we'll ride them someday

  3. Call the FBI by bigdady92 · · Score: 2

    they now have their backdoor into the system courtesy of the Chinese.

    --
    Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
    1. Re:Call the FBI by amicusNYCL · · Score: 2

      Right, the FBI just needs to install a compromised app on the phone, which will then allow them to use that app to download another app to get into the inner workings of the phone so that they can get the pass code necessary to unlock the phone in the first place.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Call the FBI by Anonymous Coward · · Score: 0

      Will Apple stop their fear mongering now? Their entire argument is moot because iphones are not secure while they are being used. Physical access to a device with a person skilled in changing firmware on an ios device would be needed to 'hack' an iphone under the scenario they are supposing will happen if they give the FBI a back-door, which would cover a very very small percentage of 'hacks' out in the wild - your iphone is at far more risk just by turning it on and using it.

    3. Re:Call the FBI by Midnight+Thunder · · Score: 1

      In the same way, if the phones aren't secure, then the FBI doesn't need Apple to get access, so why are they making such a scene?

      --
      Jumpstart the tartan drive.
    4. Re:Call the FBI by vlad30 · · Score: 1

      To give you a false sense of security

      --
      Your'e all thinking it, I just said it for you
    5. Re:Call the FBI by Anonymous Coward · · Score: 0

      Will the iPhone continue to update apps in its current state? I wonder if they could feed it an app update containing some kind of payload.

  4. malware exploits a flaw in Apple's DRM software by Anonymous Coward · · Score: 1

    Well that's what happens when you have software that ignores the user's actions and overrides them. You want to do it "for protecting copyrights", but the software isn't coded to obey copyrights (it wouldn't be DRM if it did, since the copyright owners don't want their copyrights managed to the extent of the law, they want extrajudicial rights you cannot get returned by a court case), so it doesn't give a shit what you want to use it for, it just avoids letting the user use their device for what they want and insists on overriding it.

    It's ALL malware.

    It's merely legally protected and "normalised" malware for people with official money and power, rather than unofficial money and power.

  5. This article is filled with LUDDITE LIES! by Anonymous Coward · · Score: 1

    Modern app appers know that ONLY apps can app apps, and Apple's AppPhone is so appy, that it's impossible for LUDDITE malware to infect it!

    Apps!

    1. Re:This article is filled with LUDDITE LIES! by phishybongwaters · · Score: 0

      I was just talking about you today on another thread, you asshat. Get a fucking job

    2. Re:This article is filled with LUDDITE LIES! by Anonymous Coward · · Score: 0

      Moooo you apping cow!

    3. Re:This article is filled with LUDDITE LIES! by Anonymous Coward · · Score: 0

      Considering you're posting at noon in the middle of the week, I can only assume it is you that doesn't have a job.

    4. Re:This article is filled with LUDDITE LIES! by Anonymous Coward · · Score: 0

      Oh yes, everyone on the planet lives in the same time zone as you, AC.

    5. Re:This article is filled with LUDDITE LIES! by Anonymous Coward · · Score: 0

      "Cows go MOO" is funnier.

  6. Expected Outcome Should Be Expected by JustAnotherOldGuy · · Score: 1, Insightful

    "...the iOS malware exploits a flaw in Apple's DRM software"

    O The Irony.

    Trying to protect their profits creates a situation that will almost certainly cost them money.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Expected Outcome Should Be Expected by Anonymous Coward · · Score: 1

      That'll likely be patched before Verizon sends out their next Android update.

      (Yes, I went there and yes, you know it's true.)

    2. Re:Expected Outcome Should Be Expected by macs4all · · Score: 5, Informative

      "...the iOS malware exploits a flaw in Apple's DRM software"

      O The Irony.

      Trying to protect their profits creates a situation that will almost certainly cost them money.

      Perhaps you have forgotten this, which clearly explains Apple's actual stance on DRM.

      There wouldn't have BEEN a digital music market if Apple hadn't figured out a reasonable compromise on DRM.

      And, if you recall, Apple DROPPED DRM from their Music files YEARS ago. FairPlay is just hanging around for the people who never updated their old DRM-ed music files.

    3. Re:Expected Outcome Should Be Expected by U2xhc2hkb3QgU3Vja3M · · Score: 1

      FairPlay is still used on movies, TV shows and music videos, is it not?

    4. Re:Expected Outcome Should Be Expected by macs4all · · Score: 1

      FairPlay is still used on movies, TV shows and music videos, is it not?

      In all honesty, I wondered that too, but didn't have the time to research whether that was actually FairPlay, or something else.

    5. Re:Expected Outcome Should Be Expected by rsborg · · Score: 1

      "...the iOS malware exploits a flaw in Apple's DRM software"

      O The Irony.

      Trying to protect their profits creates a situation that will almost certainly cost them money.

      You do realize that Apple only added DRM because the media industry demanded it?

      Well, maybe now Tim will use this as a reason to ditch DRM altogether....

      --
      Make sure everyone's vote counts: Verified Voting
    6. Re:Expected Outcome Should Be Expected by SeaFox · · Score: 1

      FairPlay is just hanging around for the people who never updated their old DRM-ed music files.

      Or can't? I have files that are not available as a free iTunes+ upgraded version due to being released as promotional albums before. One is a song from a band that is literally no longer on the store. I still have my one 128 kbps AAC track, though. I guess Apple's arrangement with the label they are on ended so I can't even buy a replacement copy.

    7. Re:Expected Outcome Should Be Expected by garote · · Score: 1

      How did that band get into the server room?!

  7. The tl;dr version of how the attack works by Anubis+IV · · Score: 4, Informative

    For those interested in how the attack works, it relies on having a specific piece of malware (something akin to a rogue version of iTunes that runs in the background) installed first on your PC. After that, from what I understand, the attack roughly goes like this:

    1) Attacker submits a piece of iOS malware to the official App Store and has it accepted.
    2) Attacker purchases their own iOS malware from the App Store, receiving an authorization code for the purchase.
    3) The PC malware gets the authorization code from the attacker.
    4) The PC malware masquerades as iTunes to tell your iOS device that a new purchase is ready to install.
    5) The PC malware provides the authorization code it received from the attacker.
    6) Your iOS device downloads the iOS malware from the App Store.

    Strangely, even though the offending apps have been pulled from the App Store, they're still available to people who have previously purchased them...including people who are getting infected via this attack, since that authorization code acts as proof of a previous purchase. Your device just thinks it's a previous purchase you made in iTunes but hadn't yet synchronized over to your device.

    As for how the iOS malware was able to get into the App Store in the first place, apparently they were using geolocation to make the app display benign content in the App Store reviewer's location (in this case, they were acting like useless wallpaper apps) while serving up malicious content in China.

    1. Re:The tl;dr version of how the attack works by edtice1559 · · Score: 2

      The long string of events here makes it sound like this is relatively benign but it's actually pretty serious. There's no way that an App Store can be policed perfectly. It's impossible to secure Windows. Which means that this will become a depressing game of whack-a-mole. But it also seems here to imply that a purchase authorization code can be shared! Which only makes this worse as people may install the malware for the promise of free, paid apps. Probably the weakness of reusing authorization codes is well know, but it was new information to me.

    2. Re:The tl;dr version of how the attack works by swb · · Score: 1

      Does Apple have any developer guidelines on use of geolocation information, or do they presume that because there's fine grained controls over privileges that they don't need to have any?

      I would think that apps without any rational need for location information (like useless wallpaper apps) would raise a red flag for further scrutiny. Unless of course Apple sees collecting geolocation information on users to resell elsewhere as just "part of the app business model".

    3. Re:The tl;dr version of how the attack works by Anubis+IV · · Score: 1

      The long string of events here makes it sound like this is relatively benign but it's actually pretty serious.

      Completely agree. In retrospect, I wish that I had summed them up into a shorter list, since it does make it seem like it's pretty difficult to pull off, when, in actuality, it isn't really. The hardest part is getting the malware onto their PC. After that, it's a cakewalk.

    4. Re:The tl;dr version of how the attack works by khz6955 · · Score: 1

      Mod the parent +10 interesting ..

      So, it's Microsoft Windows malware that compromises iOS devices authorized to install apps through Windows ..
      --

      A lot of free adverts for Palo Alto Networks lately?

    5. Re:The tl;dr version of how the attack works by edtice1559 · · Score: 1

      Apparently it's easy to subvetr the ad networks to deliver malware. That was the other story of the day when this posted. Admittedly drive-by malware is getting hard so that attack wasn't terribly effective, but if a state-sponsored entity put the two of those together, it could spell serious disruption.

  8. targetted? by reboot246 · · Score: 0

    What is "targetted"?

    Did you mean targeted? Does anybody have even a high school diploma around here?

    1. Re:targetted? by edtice1559 · · Score: 1

      It's a gooder form of targeting.

    2. Re:targetted? by Anonymous Coward · · Score: 0

      In this case, "targetted" is the past tense of the verb "target". For historical reasons, the accepted spelling is "targeted" with just 2 t's in total, whereas the intuitive spelling, with 3 t's in total, is conventially regarded as a misspelling.

    3. Re:targetted? by rsborg · · Score: 1

      In this case, "targetted" is the past tense of the verb "target". For historical reasons, the accepted spelling is "targeted" with just 2 t's in total, whereas the intuitive spelling, with 3 t's in total, is conventially regarded as a misspelling.

      Sounds just like cancelled vs canceled. Both are acceptable, though double-L is the more common usage (although that's changing).

      --
      Make sure everyone's vote counts: Verified Voting
  9. reusing authorization codes by Immerial · · Score: 1

    The ability of reusing authorization codes is pretty bad. I am surprised it's not locked to the iTunes/Apple ID. I guess that would be the next step by Apple.... unless there is some reason that doing that would be a problem?? I can't really see why. Maybe it would effect free app give-away codes? Honesty don't know.

  10. I'd have to trust that computer by Anonymous Coward · · Score: 0

    iOS devices don't install app from computers until you agree to trust the computer from the device.

    So don't trust this computer.

    Isn't that what the system of trusting/not trusting was for, so you can avoid getting malware inserted by devices you really shouldn't trust? This is another form of attack used by the "USB chargers" which are really hosts that want to install apps. And you stop it in the same way, by clicking "no" to trusting something you don't trust.

  11. Fairplay? by Anonymous Coward · · Score: 0

    Thought that was something that was going to allow Manchester City to win the BPL every year.

  12. iOS vs Android Patching by Anonymous Coward · · Score: 0

    I don't mind you going there. Android phones have a theoretical patch window of 1.5 years. And that clock starts ticking immediately after the device is released. So, if you're like me, and you wait for a phone to become inexpensive, you have - at best - a practical patch window of about six to eight months. That's it. It's even slower if you buy a phone from a carrier. Guess it takes a lot of time to bloat up that ROM with those carrier based tracking apps, CarrierIQ, anyone? What really gets my goat is that AT&T usually patches their their phone updates after Verizon (if at all).

    I have a 4 year old AT&T Samsung S3 or i747, a four year old phone) which has Lollipop 5.1.1 (CyanogenMod). I also have an AT&T Samsung Note 3, a three year old phone, also from AT&T, but it is stuck on Lollipop 5.0.1 (TouchWiz). The S3 is going to get Marshmallow, while the Note3 development has all but stopped.

    The difference is just one small thing: The S3 has an unlocked bootloader, and the Note3 has a locked & signed bootloader. The Note3 cannot possibly run anything other than an AT&T blessed TouchWiz ROM. Shame, really, as the Note3 has some nice hardware (and screen real estate) compared to the S3.

    TL;DR Don't buy an Android phone from a carrier, and be sure the one you get doesn't have a locked & signed bootloader, so you can do the updates that the phone vendor won't do.

    1. Re:iOS vs Android Patching by narcc · · Score: 1

      They really need better support. My BlackBerry is over 3 years old now, yet I just got an OS update last week. I wonder why a larger manufacturer like Samsung can't be bothered to push updates for at least as long as the average contract length!

      --
      Required reading for internet skeptics
  13. Malware could infect non-jailbroken devices? by khz6955 · · Score: 1

    "a new iOS malware that could infect non-jailbroken devices .. provided a user downloads a third-party app"

    What would make a real story is if this 'iOS malware' infected the device without the user visiting a malicious website, downloading and explicitly installing the malware.
    --

    Lately, we've been seeing a lot of free adverts for Palo Alto Networks?