James Steidl - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can the KeyRaider iOS malware be mitigated?

A new type of iOS malware can hijack jailbroken iOS devices. Expert Nick Lewis explains how KeyRaider works and how to defend against the threat.

A new type of malware called "KeyRaider" reportedly stole more than 200,000 Apple accounts through jailbroken iOS devices. According to security researchers, attackers can use the malware to gain complete control of a jailbroken iOS device using Apple's iCloud service. How does this malware work, and what can users and enterprises do to mitigate -- besides not using jailbroken devices?

KeyRaider is a new iOS malware, discovered and analyzed by WeipTech and Palo Alto Networks, which has stolen over 225,000 valid Apple accounts. KeyRaider is installed on jailbroken iOS devices and steals Apple account information such as usernames, passwords and device GUIDs, or global unique identifiers, as well as Apple Push Notification certificates and private keys. The iOS malware accomplishes this by intercepting iTunes traffic on the device. The researchers also found that attackers can use KeyRaider to unlock and gain control of infected jailbroken devices via iCloud.

Users and enterprises have one primary action they can perform to mitigate the threat of KeyRaider. This type of iOS malware requires that a victim's device be jailbroken for it to function, so not jailbreaking your iOS device is step one. Jailbreaking an iOS device fundamentally violates the security of it and bypasses many of the protections built into its operating system.

KeyRaider is distributed through third-party Cydia App store repositories in China. If for some reason you need to jailbreak your iOS device, be careful where you download your mobile apps from; the researchers note Cydia repositories do not perform strict security checks on apps or tweaks uploaded to them, and to use Cydia repositories at your own risk. Users with jailbroken iOS devices should also regularly change their Apple ID password and other passwords used on the device to minimize the chance of the account being targeted by attackers. Enabling two-factor authentication for Apple ID's also can prevent the account from being hijacked. The standard practice of looking at reviews or the number of downloads to vet applications prior to installing them will be ineffective for apps from Cydia repositories; like similar malicious apps, KeyRaider will install hidden apps in the background without user interaction, which inflates the number of installs for the app and makes it look more trustworthy. Additional caution should be used when installing apps on jailbroken iOS devices, regardless of the app store or download source.

Next Steps

Read more on the malware discovered in the Apple App Store

Find out how the Masque attack takes advantage of an iOS security flaw

Discover the new security features in Apple iOS 8

This was last published in February 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal