Non-jailbroken iPhones are usually close to immune from malware thanks to Apple vetting every app before it’s made available in the App Store. So far, malware has relied on abusing enterprise certificates designed to allow companies to distribute apps to their own phones. But security company Palo Alto Networks has discovered a new piece of malware that can infect iPhones by exploiting a vulnerability in Apple’s DRM mechanism.
AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken.
AceDeceiver currently uses a geotag so that it is only activated when a user is located in China, but a simple switch could allow it to infect iPhones elsewhere …
The mechanism used is known as FairPlay Man-in-the-Middle. This is an approach commonly used to distribute pirated iOS apps, but this is the first time it’s been found to install malware.
Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.
Although Palo Alto Networks notified Apple, which removed the apps, this doesn’t stop the attack from working as the apps only need to have been available in the App Store once for the authorization code to work.
The good news is that so far only Windows PC users are at risk. AceDeceiver relies on tricking iTunes users into installing a helper client which acts as the man-in-the-middle. But Palo Alto Networks says that the mechanism is such an easy route for installing malware that others are likely to copy the approach.
For Mac users, the best advice as always is to keep your security settings to allow only Mac App Store apps to be installed, or failing that Mac App Store and identified developers. This setting can be found under the Apple menu in System Preferences > Security & Privacy > General.