Top Menu

Check if you have KeyRaider installed on your jailbroken iPhones/iPads

KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China. The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.  Approximately 225,000 accounts may have been compromised by the malware used for stealth attacks. KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

Palo Alto Networks and WeipTech have put together a web-based tool at weiptech.org to help you check if your account has been compromised. We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs. For an in-depth report click on the source link below.

Source: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

Featured image by Patrick Lauke.

Related Post

, , , , , , , , ,