KeyRaider malware stealing Apple account info on jailbroken iOS devices

Ransom message from KeyRaider displayed on a jailbroken iPhone. Image via Palo Alto Networks.

Ransom message from KeyRaider displayed on a jailbroken iPhone. Image via Palo Alto Networks.

Since iOS first appeared in 2007, people have hacked the operating system because they wanted their devices to do more. Now that there are well over 1.5 million apps available that can do just about anything your heart desires, perhaps it's time for the jailbreakers to just cool it. Why? A new piece of malware called KeyRaider that only attacks jailbroken devices is a perfect example -- it has already been responsible for stealing the Apple account info on more than 225,000 devices.

KeyRaider installs itself on jailbroken iOS devices distributed through third-party Cydia repositories in China. Although it appears to be primarily targeted at Chinese-speaking users, it appears to  have already impacted jailbreakers in 18 countries including the United States, UK and Canada. 

According to a well-written report by Palo Alto Networks, the malware steals Apple account info by intercepting iTunes traffic on the devices. That information includes account usernames, passwords, device GUIDs, push notification service certificates and private keys, and App Store purchasing information. The stolen data is then uploaded to a command and control server for use by about 20,000 users who have installed an iOS jailbreak tweak so that they can buy apps and in-app purchases on someone else's account.

What's even worse is that KeyRaider disables local and remote unlocking on iPhones and iPads, so that an attacker can literally lock a user out of his or her iOS device, displaying a ransom notice on the lock screen telling the user to call or text a number for unlocking instructions. 

Protecting your iOS device from KeyRaider is simple; just don't jailbreak.