Researchers Find iOS Malware That Infects Non-Jailbroken Devices

An anonymous reader writes: Researchers at Palo Alto Networks are reporting about a new iOS malware that could infect non-jailbroken devices without a user's consent. Dubbed "AceDeceiver," the iOS malware exploits a flaw in Apple's DRM software. The researchers claim that the iOS malware could technically infect any type of iOS device, provided a user downloads a third-party app. From the blog post on Palo Alto Networks' website, "AceDeceiver is the first iOS malware we've seen that abuses certain design flaws in Apple's DRM protection mechanism -- namely FairPlay -- to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called "FairPlay Man-In-The-Middle (MITM)" and has been used since 2013 to spread pirated iOS apps, but this is the first time we've seen it used to spread malware." The aforementioned malware required users to download a compromised Windows application. Apple has removed three offending apps from the App Store, and it appears that only users in China were targetted.

it's easy to do

[turkeydance]

we'll ride them someday

Call the FBI

[bigdady92]

they now have their backdoor into the system courtesy of the Chinese.

Re:

[amicusNYCL]

Right, the FBI just needs to install a compromised app on the phone, which will then allow them to use that app to download another app to get into the inner workings of the phone so that they can get the pass code necessary to unlock the phone in the first place.

Re:

[Midnight Thunder]

In the same way, if the phones aren't secure, then the FBI doesn't need Apple to get access, so why are they making such a scene?

Re:

[vlad30]

To give you a false sense of security

malware exploits a flaw in Apple's DRM software

[Anonymous Coward]

Well that's what happens when you have software that ignores the user's actions and overrides them. You want to do it "for protecting copyrights", but the software isn't coded to obey copyrights (it wouldn't be DRM if it did, since the copyright owners don't want their copyrights managed to the extent of the law, they want extrajudicial rights you cannot get returned by a court case), so it doesn't give a shit what you want to use it for, it just avoids letting the user use their device for what they want a

This article is filled with LUDDITE LIES!

[Anonymous Coward]

Modern app appers know that ONLY apps can app apps, and Apple's AppPhone is so appy, that it's impossible for LUDDITE malware to infect it!

Apps!

Re:

[Rob MacDonald]

I was just talking about you today on another thread, you asshat. Get a fucking job

Expected Outcome Should Be Expected

[JustAnotherOldGuy]

"...the iOS malware exploits a flaw in Apple's DRM software"

O The Irony.

Trying to protect their profits creates a situation that will almost certainly cost them money.

Re:

[Anonymous Coward]

That'll likely be patched before Verizon sends out their next Android update.

(Yes, I went there and yes, you know it's true.)

Re:

[narcc]

They really need better support. My BlackBerry is over 3 years old now, yet I just got an OS update last week. I wonder why a larger manufacturer like Samsung can't be bothered to push updates for at least as long as the average contract length!

Re:Expected Outcome Should Be Expected

[macs4all]

"...the iOS malware exploits a flaw in Apple's DRM software"

O The Irony.

Trying to protect their profits creates a situation that will almost certainly cost them money.

Perhaps you have forgotten this [macdailynews.com], which clearly explains Apple's actual stance on DRM.

There wouldn't have BEEN a digital music market if Apple hadn't figured out a reasonable compromise on DRM.

And, if you recall, Apple DROPPED DRM from their Music files YEARS ago. FairPlay is just hanging around for the people who never updated their old DRM-ed music files.

Re:

[U2xhc2hkb3QgU3Vja3M]

FairPlay is still used on movies, TV shows and music videos, is it not?

Re:

[macs4all]

FairPlay is still used on movies, TV shows and music videos, is it not?

In all honesty, I wondered that too, but didn't have the time to research whether that was actually FairPlay, or something else.

Re:

[SeaFox]

FairPlay is just hanging around for the people who never updated their old DRM-ed music files.

Or can't? I have files that are not available as a free iTunes+ upgraded version due to being released as promotional albums before. One is a song from a band that is literally no longer on the store. I still have my one 128 kbps AAC track, though. I guess Apple's arrangement with the label they are on ended so I can't even buy a replacement copy.

Re:

[garote]

How did that band get into the server room?!

Re:

[rsborg]

"...the iOS malware exploits a flaw in Apple's DRM software"

O The Irony.

Trying to protect their profits creates a situation that will almost certainly cost them money.

You do realize that Apple only added DRM because the media industry demanded it?

Well, maybe now Tim will use this as a reason to ditch DRM altogether....

The tl;dr version of how the attack works

[Anubis IV]

For those interested in how the attack works, it relies on having a specific piece of malware (something akin to a rogue version of iTunes that runs in the background) installed first on your PC. After that, from what I understand, the attack roughly goes like this:

1) Attacker submits a piece of iOS malware to the official App Store and has it accepted.
2) Attacker purchases their own iOS malware from the App Store, receiving an authorization code for the purchase.
3) The PC malware gets the authorization code from the attacker.
4) The PC malware masquerades as iTunes to tell your iOS device that a new purchase is ready to install.
5) The PC malware provides the authorization code it received from the attacker.
6) Your iOS device downloads the iOS malware from the App Store.

Strangely, even though the offending apps have been pulled from the App Store, they're still available to people who have previously purchased them...including people who are getting infected via this attack, since that authorization code acts as proof of a previous purchase. Your device just thinks it's a previous purchase you made in iTunes but hadn't yet synchronized over to your device.

As for how the iOS malware was able to get into the App Store in the first place, apparently they were using geolocation to make the app display benign content in the App Store reviewer's location (in this case, they were acting like useless wallpaper apps) while serving up malicious content in China.

Re:

[Ed Tice]

The long string of events here makes it sound like this is relatively benign but it's actually pretty serious. There's no way that an App Store can be policed perfectly. It's impossible to secure Windows. Which means that this will become a depressing game of whack-a-mole. But it also seems here to imply that a purchase authorization code can be shared! Which only makes this worse as people may install the malware for the promise of free, paid apps. Probably the weakness of reusing authorization codes

reusing authorization codes

[Immerial]

The ability of reusing authorization codes is pretty bad. I am surprised it's not locked to the iTunes/Apple ID. I guess that would be the next step by Apple.... unless there is some reason that doing that would be a problem?? I can't really see why. Maybe it would effect free app give-away codes? Honesty don't know.

Re:

[Anubis IV]

The long string of events here makes it sound like this is relatively benign but it's actually pretty serious.

Completely agree. In retrospect, I wish that I had summed them up into a shorter list, since it does make it seem like it's pretty difficult to pull off, when, in actuality, it isn't really. The hardest part is getting the malware onto their PC. After that, it's a cakewalk.

Re:

[Ed Tice]

Apparently it's easy to subvetr the ad networks to deliver malware. That was the other story of the day when this posted. Admittedly drive-by malware is getting hard so that attack wasn't terribly effective, but if a state-sponsored entity put the two of those together, it could spell serious disruption.

Re:

[swb]

Does Apple have any developer guidelines on use of geolocation information, or do they presume that because there's fine grained controls over privileges that they don't need to have any?

I would think that apps without any rational need for location information (like useless wallpaper apps) would raise a red flag for further scrutiny. Unless of course Apple sees collecting geolocation information on users to resell elsewhere as just "part of the app business model".

Re:

[khz6955]

Mod the parent +10 interesting ..

So, it's Microsoft Windows malware that compromises iOS devices authorized to install apps through Windows ..
--

A lot of free adverts for Palo Alto Networks lately?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ed Tice]

It's a gooder form of targeting.

Re:

[rsborg]

In this case, "targetted" is the past tense of the verb "target". For historical reasons, the accepted spelling is "targeted" with just 2 t's in total, whereas the intuitive spelling, with 3 t's in total, is conventially regarded as a misspelling.

Sounds just like cancelled vs canceled. Both are acceptable, though double-L is the more common usage (although that's changing).

Malware could infect non-jailbroken devices?

[khz6955]

"a new iOS malware that could infect non-jailbroken devices .. provided a user downloads a third-party app"

What would make a real story is if this 'iOS malware' infected the device without the user visiting a malicious website, downloading and explicitly installing the malware.
--

Lately, we've been seeing a lot of free adverts for Palo Alto Networks?