The bad guys have come up with another piece of malware designed to make iOS user’s lives miserable. “AceDeceiver” infects devices without the need for an enterprise certificate or a need for the device to be jailbroken, says security firm Palo Alto Networks.
Palo Alto Networks:
AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called “FairPlay Man-In-The-Middle (MITM)” and has been used since 2013 to spread pirated iOS apps, but this is the first time we’ve seen it used to spread malware. (The FairPlay MITM attack technique was also presented at the USENIX Security Symposium in 2014; however, attacks using this technique are still occurring successfully.)
When downloading an app from Apple, a device will request a code from the company’s servers which proves the app was purchased by the user. The MITM attack allows hackers to trick iOS devices into thinking apps were purchased by the victim. A piece of Windows software, “Aisi Helper,” simulates iTunes’ behavior, and is disguised as a helpful tool but installs the bad guys’ iOS apps without alerting their targets.
“These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver’s C2 server after being encrypted”
Three different apps containing the AceDeceiver code were uploaded to the App Store between July 2015 and February 2016. The titles passed Apple’s own code review “at least” three times, and were only removed after being reported by Palo Alto.
It should be noted that this malware scheme does require users to download the Aisi Helper Windows app to their computers before the malware can spread to iOS devices. Those who have downloaded the software should remove it from their machine immediately and then change their Apple ID passwords. As is usual in cases such as this, it can all be avoided by not downloading suspicious software to your machine!
While the apps are a threat as long as they are still installed on an iOS device, it appears the apps are currently only set to be malicious to users located in mainland China. For more information about this latest attack, visit the Palo Alto website, which contains an impressive amount of information on the subject.
