Researchers Find iOS Malware That Infects Non-Jailbroken Devices

An anonymous reader writes: Researchers at Palo Alto Networks are reporting about a new iOS malware that could infect non-jailbroken devices without a user's consent. Dubbed "AceDeceiver," the iOS malware exploits a flaw in Apple's DRM software. The researchers claim that the iOS malware could technically infect any type of iOS device, provided a user downloads a third-party app. From the blog post on Palo Alto Networks' website, "AceDeceiver is the first iOS malware we've seen that abuses certain design flaws in Apple's DRM protection mechanism -- namely FairPlay -- to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called "FairPlay Man-In-The-Middle (MITM)" and has been used since 2013 to spread pirated iOS apps, but this is the first time we've seen it used to spread malware." The aforementioned malware required users to download a compromised Windows application. Apple has removed three offending apps from the App Store, and it appears that only users in China were targetted.

The tl;dr version of how the attack works

[Anubis+IV]

For those interested in how the attack works, it relies on having a specific piece of malware (something akin to a rogue version of iTunes that runs in the background) installed first on your PC. After that, from what I understand, the attack roughly goes like this:

1) Attacker submits a piece of iOS malware to the official App Store and has it accepted.
2) Attacker purchases their own iOS malware from the App Store, receiving an authorization code for the purchase.
3) The PC malware gets the authorization code from the attacker.
4) The PC malware masquerades as iTunes to tell your iOS device that a new purchase is ready to install.
5) The PC malware provides the authorization code it received from the attacker.
6) Your iOS device downloads the iOS malware from the App Store.

Strangely, even though the offending apps have been pulled from the App Store, they're still available to people who have previously purchased them...including people who are getting infected via this attack, since that authorization code acts as proof of a previous purchase. Your device just thinks it's a previous purchase you made in iTunes but hadn't yet synchronized over to your device.

As for how the iOS malware was able to get into the App Store in the first place, apparently they were using geolocation to make the app display benign content in the App Store reviewer's location (in this case, they were acting like useless wallpaper apps) while serving up malicious content in China.

Re:Expected Outcome Should Be Expected

[macs4all]

"...the iOS malware exploits a flaw in Apple's DRM software"

O The Irony.

Trying to protect their profits creates a situation that will almost certainly cost them money.

Perhaps you have forgotten this, which clearly explains Apple's actual stance on DRM.

There wouldn't have BEEN a digital music market if Apple hadn't figured out a reasonable compromise on DRM.

And, if you recall, Apple DROPPED DRM from their Music files YEARS ago. FairPlay is just hanging around for the people who never updated their old DRM-ed music files.