This story is over 5 years old.


This iPhone Malware Stole 225,000 Passwords from Jailbroken Phones

Pro-tip: don’t jailbreak your iPhone.

If you have a jailbroken iPhone, be careful what apps and software you trust.

In early July, some Apple users began noticing that their accounts were being used to make unauthorized purchases through iTunes and to install iOS apps, according to research by a Chinese security team called WeipTech.

On Sunday, researchers at Palo Alto Networks revealed that those users were among the more than 225,000 victims of an iPhone malware that steals Apple user credentials.


The malware, which has been dubbed KeyRider, is able to steal Apple usernames and passwords, the device's unique identifier (GUID), App Store purchase information, and can even lock the victim's device and hold it for ransom, according to Palo Alto Networks security researcher Claud Xiao.

Palo Alto Networks believes this is the largest theft of Apple user credentials done with malware. The good news is that KeyRider can only hit users who have modified, or "jailbroken," their iPhones.

This might be the largest theft of Apple user credentials done with malware.

KeyRider was distributed through a third-party repository for Cydia, an app store for jailbroken iPhones. The repository, known as Weiphone, is not installed by default in Cydia, so users have to manually add it, Frederic Jacobs, an independent security researcher and iOS developer, confirmed.

Jailbreaking an iPhone or other iOS device removes hardware restrictions on the phone, giving users more freedom to install any software they want on the device. But it also lowers the security of the iDevice.

"Unlike Apple's App Store, Cydia doesn't require apps to be sandboxed," Jacobs told Motherboard in an online chat. "This enables third-party developers to write system tweaks for jailbroken phones."

"That's awesome for open-source tweaks you trust, but it's also very useful to distribute malware," he added.

"Don't expect that device to match the security standards of non-jailbroken devices."


Xiao wrote in his blog post that a Weiphone user named "mischa07" is likely the author of the malware. Mischa07 spread it by advertising it as a tweak to download paid apps, as well as extra in-app-purchases, for free. In reality, the tweak used stolen Apple accounts to get apps for free, according to Xiao.

Most victims of KeyRider are in China, since the Weiphone repository is popular there, according to Palo Alto Networks. But the firm found victims in 17 other countries, such as the UK, United States, France, Canada and Germany.

KeyRider is another good reminder that jailbreaking your iPhone can open it up to hackers, and you probably shouldn't do it.

"If you want to tweak your iDevice more than Apple lets you do it or install apps that are forbidden from the App Store, you might want to jailbreak your device," Jacobs said. "But don't expect that device to match the security standards of non-jailbroken devices."

UPDATE, 09/02/2015, 1:35 p.m. ET: An Apple spokesperson said that the company has "taken steps to protect those affected by the issue by automatically helping the owners reset their iCloud account with a new password," and also noted that the issue affects only jailbroken phones.