New iOS Malware "AceDeceiver" Could Be A Threat Even to Non-Jailbroken iPhone Users

iPhone-thumbA new iOS malware has been discovered that could potentially affect “any device,” even non-jailbroken ones, according to a report from Palo Alto Networks. Dubbed AceDeceiver1, this malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism, a technique that is different from previously known iOS malware that abuse enterprise certificates to infect unmodified devices.

So what does it do, and how does it work? This malware abuses design flaws in Apple’s DRM protection mechanism called Fairplay. This technique, called “FairPlay Man-in-the-Middle”, lets attackers install malicious apps on iOS devices without needing to go through Apple’s security measures.

A sample scenario: a user purchases and downloads from their App Store through the iTunes client running on a computer. From there, the computer is used to install the apps onto their connected iOS devices with iTunes—but only after the iOS devices themselves receive an authorization code for each app to prove that they have, in fact, been purchased.

In FairPlay MITM, however, the authorization code is saved and used in conjunction with a third party iTunes clone application to “trick” their Apple devices into believing that they’ve purchased that particular app legitimately, and thus are free to install them on their device without paying.

The malicious part comes in where the author of said iTunes clone makes it so that his program can also use Fairplay MITM to install malicious apps onto his customers’ phones without their knowledge. And that’s just what happened, with the third party iTunes clone (named Aisi Helper) forcing malicious apps (specifically, the AceDeceiver family of apps) onto users’ phones.

These apps then connect to a third-party app store controlled by the author that the user can download iOS apps or games from, in exchange for personal information such as Apple IDs and passwords (i.e. information theft). The user is then continuously bombarded by offers to reveal more information in exchange for more features and apps.

Apple has been notified of the threat and they have removed the AceDeceiver apps from their store but the vulnerability is there, mainly for users in mainland China: the apps were reported to be only carrying out their malicious routines if the user is detected to be in mainland China. While this can easily be circumvented via the regional settings, the fact that it does work shows how even unmodified iOS devices can easily be affected, regardless of the region.

This incident should once again remind users that while Apple's walled garden approach does work for the most part, it is not infallible—users must take steps themselves to protect completely against such threats. One way of doing this, of course, is to simply use first party services/software when it comes to device management, and not resort to anything third-party or fan-created.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.