Last week, a Chinese security website claimed that more than 220,000 iCloud account and passwords have been stolen from the jailbroken iPhones. At that time, there was little information available about the hack and the way attackers managed to obtain iCloud credentials of jailbreak users.
Now a new report potentially shed more light on the security breach or a situation similar to the one reported by the Chinese security website last week. According to this latest report from the research team at Palo Alto networks, hackers have managed to steal credentials of over 250,000 Apple IDs to date, using a new piece of malware dubbed as “KeyRaider.” This malware is said to be capable of affecting jailbreak users only, but once it gains root access, the attackers can use it to steal passwords and Apple accounts from the device and in worst cases, the attackers can use that information to make purchases from the Apple store without owner’s permission.
The malware is said to work through Cydia – the most popular app store available to jailbreak community that offers a huge list of handy jailbreak apps and tweaks that are not available on Apple’s official app store.The KeyRaider has the ability to steal “Apple push notification service certificates and private keys, steals and shares App Store purchasing information and disables local and remote unlocking functionalities on iPhones and iPads,” according to the research team.
The KeyRaider malware was first discovered by a student of Yangzhou University in China. He started digging into the matter when he noticed strange app store behavior. After analyzing the complaints of users related to the unauthorized app store purchases, he found out a mysterious server where one tweak was uploading user data. That’s when more than 250,000 entries were found with user’s Apple ID details, passwords and other information to gain access to the account.
The researcher team also claims that the attackers can remotely lock the affected handsets through the KeyRaider and make it inaccessible to its owner until a ransom is paid:
It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server. Because of this functionality, some of previously used “rescue” methods are no longer effective.
It’s important to note that the malware is only infecting the jailbroken iOS devices. Secondly, the majority of KeyRaider affected users is located in China. So, all those who do not have jailbroken their devices have nothing to worry about.
It’s a good reminder for those who have not yet enabled two-factor authentication of their Apple ID login through Apple directly. Once two-step verification is enabled, no one will be able to access tour Apple ID even with the email and password, without providing extra information that’ll only be available to the ID owner.