News  Apple
AceDeceiver infects Apples App Store

This one infects non-jailbroken iOS devices

For 7 months from July 2015, three apps were lurking in Apples App store which were infected with the AceDeceiver malware. They posed as innocent-looking wallpaper apps which provided the attacker with a fake authorization code to use in their exploits.

A Windows app called "Aisi Helper" claimed to help users with various routine functions such as optimization and backups, in fact was a trojan which went on to infect connected iOS devices. The malware was able to harvest the users Apple IDs and passwords, forwarding them onto their servers.

Once the attackers obtained the fake ID credentials, even though Apple became aware of the problem and removed the original infected Apps fro their App Store, it was too late because the credentials were being used to  install fake apps on iOS devices. This usually needed them to be jailbroken, but as far as the device was concerned the credentials were valid, so non-jailbroken devices are vulnerable.

Targets DRM flaws

Apples DRM technology is called FairPlay - but it contains a vulnerability. A "Man-in-the-middle" (MITM) attack has been known about since 2013. It was widely used for  spreading pirated iOS apps, but this is the first time it has been reported as spreading malware. The technique was even shown at the USENIX Security Symposium in 2014.

The reason this attack used the Windows app is because it's intercepting the data flowing between iTunes on the PC and the iOS device, in effect "pretending" to be the iTunes software itself as far as the iOS device is concerned.

Using this system actually allows the user to install iOS apps which they didn't pay for.

advice 700x400

The concern is that it doesn’t require an enterprise certificate, hence this kind of malware is not under MDM solutions’ control, and its execution doesn’t need user’s confirmation of trusting anymore.

The attack doesn’t require victims to manually install the malicious apps; instead, it does that for them. That’s why they can be only available in a few regions’ App Store without affecting the success of the attack. This also makes them much harder to be discovered by Apple or by security firms researching iOS vulnerabilities.

Although the affected App Store apps have been pulled by Apple, since the attackers already have the DRM authentication code they needed, anyone based out of specific regions in China who downloads the Aisi Helper app on their Windows machine is vulnerable to the trojan. 

acedeceiver fairplay mitm 700x341

Users are warned that if prompted to enter their Apple ID for any reason, they must ensure that they’re entering it into a legitimate Apple app only, and never for a third-party app. Due to App Store restrictions, a third-party app should never ask for access to their Apple ID, so any third-party app asking for it should throw up red flags for them immediately.

acedeceiver screen 600x513

Palo Alto networks warn:

Malicious apps only need to have been available in the App Store once to spread, simply requiring the victim to install the client to his or her PC. After that, infection of iOS devices is completed in the background without the user’s awareness with the only indication being a new icon on the home screen that the user won’t recall downloading.

Currently AceDeceiver appears to only affect users in China, but this won't be the case for long...

More here.