Hackers Use a Novel Trick for Getting Malware onto Any Type of iOS Device

It’s likely only affected users in China, and only those who download third-party clients, too.

|
Mar 16 2016, 3:38pm

Apple opened its first Apple Store in Guangzhou, China on January 28, 2016. Image: ChinaFotoPress/Getty

Although Apple's iOS is generally considered robust and fairly secure, Chinese users of the mobile operating system are increasingly being targeted with malware. The latest example, dubbed "AceDeceiver" by researchers, takes advantage of a novel technique that can reportedly infect any type of iOS device, but only if users download a piece of third party software.

"AceDeceiver is the first iOS malware we've seen that abuses certain design flaws in Apple's DRM protection mechanism—namely FairPlay—to install malicious apps on iOS devices regardless of whether they are jailbroken," Claud Xiao, a security researcher from Palo Alto Networks, wrote in a blog post on Wednesday. Fair Play is Apple's technical solution for making sure that people don't steal apps, and actually pay for them.

Previous examples of iOS malware have deployed enterprise certificates, which are used by businesses to install custom apps onto devices. Hacking Team did this to get its surveillance software onto targets' phones, for example. Dodgy apps managed to sneak onto the Chinese app store last year, when it emerged that the third-party software used to make the apps in the first place was malicious.

AceDeceiver, meanwhile, takes advantage of a tactic used to download pirated iOS apps. The technique itself has been documented previously, but Xiao says this is the first time Palo Alto Networks has seen it used to spread malware.

It appears that the installed apps are capable of stealing victims' Apple IDs and passwords: they display phishing pages asking for the credentials, Xiao wrote.

First, users intentionally download a Windows program called Aisi Helper, which had some 6.6 million monthly active users as of December 2014, and is used for backing up devices, cleaning systems, and jailbreaking, Xiao wrote.

"AceDeceiver successfully bypassed Apple's code review seven times"

"Once installed, the PC client will automatically install the most recent malicious iOS app to any connected iOS device," Xiao added. (Aisi Helper can also be directly downloaded onto iOS device's by visiting the company's website. This download relies on an enterprise certificate.) Throughout February, all versions of Aisi Helper contained malware, Xiao said.

This installation from a PC "does not require user confirmation. In its user interface, a progress bar will be shown with a message 'Installing Aisi Helper…' but there isn't any option to stop it or cancel it," he wrote.

Usually, if a user purchases an app through iTunes running on their computer, their iOS device will send authentication files, and then iTunes will send some corresponding files in response, to verify that the software was actually purchased.

But in this technique, the attackers put their own malicious app onto the store, purchase it themselves, and then intercept the authentication token. (It's not totally clear how the dodgy software managed to get past Apple's vetting process. Apple did not immediately respond to a request for comment.) They then put this token onto a server they control, and use their own iTunes-like software to relay it to connected iOS devices. In the end, a malicious app has been installed onto the victim's device, without having to use an enterprise certificate, or another technique.

"By deploying [an] authorized computer in the [command and control] server, and using a client software as agent in the middle, the attacker can distribute that purchased iOS app to unlimited iOS devices," Xiao wrote.

AceDeceiver related apps have not only found their way onto the official app store, but managed to stay there for some time, Xiao wrote. Three different compromised wallpaper apps appeared on the store, in July 2015, November 2015, and January of this year, respectively. Notably, these pieces of software were updated after they were accepted by the app store, meaning that "AceDeceiver successfully bypassed Apple's code review seven times," Xiao added.

The three offending apps have been removed by Apple, and it seems unlikely that any users in the US may have been infected with AceDeceiver: Xiao wrote that the apps only display malicious behavior when a user is located in China. But it's clear that malware authors are getting much more savvy at circumventing Apple's iOS and app store protections, and could move their sights over other groups of victims.