James Steidl - Fotolia
A new type of malware called "KeyRaider" reportedly stole more than 200,000 Apple accounts through jailbroken iOS devices. According to security researchers, attackers can use the malware to gain complete control of a jailbroken iOS device using Apple's iCloud service. How does this malware work, and what can users and enterprises do to mitigate -- besides not using jailbroken devices?
KeyRaider is a new iOS malware, discovered and analyzed by WeipTech and Palo Alto Networks, which has stolen over 225,000 valid Apple accounts. KeyRaider is installed on jailbroken iOS devices and steals Apple account information such as usernames, passwords and device GUIDs, or global unique identifiers, as well as Apple Push Notification certificates and private keys. The iOS malware accomplishes this by intercepting iTunes traffic on the device. The researchers also found that attackers can use KeyRaider to unlock and gain control of infected jailbroken devices via iCloud.
Users and enterprises have one primary action they can perform to mitigate the threat of KeyRaider. This type of iOS malware requires that a victim's device be jailbroken for it to function, so not jailbreaking your iOS device is step one. Jailbreaking an iOS device fundamentally violates the security of it and bypasses many of the protections built into its operating system.
KeyRaider is distributed through third-party Cydia App store repositories in China. If for some reason you need to jailbreak your iOS device, be careful where you download your mobile apps from; the researchers note Cydia repositories do not perform strict security checks on apps or tweaks uploaded to them, and to use Cydia repositories at your own risk. Users with jailbroken iOS devices should also regularly change their Apple ID password and other passwords used on the device to minimize the chance of the account being targeted by attackers. Enabling two-factor authentication for Apple ID's also can prevent the account from being hijacked. The standard practice of looking at reviews or the number of downloads to vet applications prior to installing them will be ineffective for apps from Cydia repositories; like similar malicious apps, KeyRaider will install hidden apps in the background without user interaction, which inflates the number of installs for the app and makes it look more trustworthy. Additional caution should be used when installing apps on jailbroken iOS devices, regardless of the app store or download source.
Read more on the malware discovered in the Apple App Store
Find out how the Masque attack takes advantage of an iOS security flaw
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.