Nearly 225,000 Apple accounts have been compromised as a malware dubbed KeyRaider has stolen the passwords of jailbroken iOS devices.

The information comes courtesy of security firm Palo Alto Networks, which divulged that in tandem with China-based technical team WeipTech, it recognized 92 samples of malware that are reportedly accountable for what is being called the biggest Apple account theft for which malware is responsible.

On Sunday, Aug. 30, Palo Alto Networks' Claud Xiao divulged through a blog post that KeyRaider was distributed via China-based "third-party Cydia repositories."

The malware reportedly targets iOS devices that are jailbroken i.e. modified. Jailbreaking a device basically rids it of Apple's protections, which restrict the applications that a device can install. Apple advises users against jailbreaking their iDevices for security purposes.

KeyRaider has reportedly impacted users in nearly 18 countries, which include the U.S., Japan, Russia, China, France, Germany, Canada, Israel, Australia, Italy, Singapore, Spain and South Korea.

KeyRaider basically deploys MobileSubstrate to hook the system process and then proceeds to rob the account passwords and usernames of an Apple account, as well as GUID by monitoring traffic from iTunes on the iDevice.

The malware is apparently also able to steal private keys and push notification certificates from Apple. It not only shares a user's App Store purchase information, but also renders the local as well as remote locking functionality for both iPads and iPhones useless.

"KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information," per Xiao.

Apple has been notified of the KeyRaider malware's existence by Palo Alto Networks on August 26. The company has also been handed the stolen data.

WeipTech, however, has been able to recover only 50 percent of the stolen account details "before the attacker fixed the vulnerability." The team set up a service to aid users to check if their account had been compromised. It is believed a Weiphone user dubbed "mischa07" is behind the attacks.

Photo: Ervins Strauhmanis | Flickr 

ⓒ 2021 All rights reserved. Do not reproduce without permission.