Keyraider Malware Takes Aim at Jailbroken Apple iOS Devices
NEWS ANALYSIS: With jailbroken devices, the simple truth is you're at risk from a lot more than just Keyraider, which has now claimed 225,000 victims.Network security vendor Palo Alto Networks is warning about a new form of iOS malware it has dubbed Keyraider, which has already claimed 225,000 victims. Although a quarter of a million Apple accounts have potentially been compromised, most Apple users are not at risk and likely never will be. Keyraider only works against Jailbroken iOS devices in which the user has intentionally manipulated the software on their devices so that it is not be restricted to the Apple App Store. More specifically, Keyraider (to date) has only been found to be coming from the Weiphone Cydia repositories in China. Cydia is a popular third-party app repository for jailbroken iOS devices. Although China is the source of Keyraider, Palo Alto reports that the malware has affected users in 18 countries. The way the Keyraider malware works is it hooks into the SSLRead and SSLWrite functions in the itunesstored process in iOS. Secure Sockets Layer (SSL) provides encryption for data in transport, while the itunesstored process is an iTunes protocol for iOS devices to communicate with the Apple App Store. By hooking into the itunesstored process, Keyraider is able to steal a user's Apple ID and then potentially steal user information. While Keyraider is a problem for the quarter million people who may be affected, all those users chose to jailbreak their devices. There is no specific vulnerability here in iOS itself that Apple must fix immediately as some form of zero-day exploit patch. This is not the 2014 iCloud celebrity hack either where Apple needed to update some of its own back-end security processes to protect users.
That said, perhaps Apple could have stricter controls in iOS for the itunesstored process function that first checks to see if the device has been jailbroken. In my view, that one somewhat obvious step could limit some of the potential risk of Keyraider, even on jailbroken devices. A common feature on many enterprise-class mobile-device management (MDM) systems is to first check to see if a device is jailbroken. So why couldn't Apple implement the same feature for iTunes/Apple ID access?