Palo Alto Networks Stories September 1, 2015

iOS jailbreak malware stole 225,000 Apple IDs across 18 countries, but it’s unlikely you’re at risk

Researchers from Palo Alto Networks have discovered that a piece of iOS malware successfully stole more than 225,000 Apple IDs and passwords from jailbroken phones, using them to make purchases from the official App Store. The malware, dubbed KeyRaider, also has the ability to remotely lock jailbroken iOS devices in order to hold them to ransom.

These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.

However, it’s extremely unlikely that you’re at risk: the malware can only run on jailbroken devices, and appears to spread through only one set of Cydia repositories, run by Weiphone.

The malware was used in two tweaks that allow those running them to download paid apps and make in-app purchases from Apple’s official App Store without payment. The tweaks used the stolen credentials to make the purchases.

If you think your iPhone or iPad may be at risk, Palo Alto Networks has provided the following instructions to detect and remove the malware. Further details over at the company’s lengthy blog entry.

Users can use the following method to determine by themselves whether their iOS devices was infected:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.

The company also notes that not jailbreaking iOS devices is the only way to protect against such exploitation.

Via Re/code

Palo Alto Networks Stories November 17, 2014

Chinese authorities arrest three suspects behind ‘WireLurker’ Mac and iOS malware

Earlier this month, a new type of Mac- and iOS-based malware called “WireLurker” appeared online. Apple responded by blocking affected apps from launching on OS X, but another development was made in the case today.

According to ZDNet, Chinese authorities have arrested three suspects in connection with the malware and taken down the website that was found to be distributing it. The suspects are believed to be the creators of the software.

Palo Alto Networks Stories November 7, 2014

Apple has now blocked the launching of Mac apps infected with WireLurker malware, after earlier revoking security certificates to prevent them being installed on new devices. WireLurker was capable of infecting non-jailbroken iOS devices when connected to a Mac running one of the compromised apps. Over 400 Mac apps in a third-party Chinese app store were affected.

In a written statement, an Apple spokesperson said:

We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.

However, a security researcher says that it would be easy for other attackers to exploit the exact same weakness …  expand full story

Powered by WordPress.com VIP