The largest Apple iCloud raid in history has seen nearly a quarter of a million accounts compromised by malware targeting app pirates.
The hack spree, affecting at least 225,000 valid Apple cloud accounts, is hitting jailbroken iThings – devices that have had Cupertino's strict device security controls bypassed and disabled.
Jailbreaking is popular but actively smothered by Apple which releases iOS updates to squash exploits necessary for jailbreaking devices. People install jailbreak tools to use additional iThing tweaks available through the alternative Cydia store, and – for some – to pirate software by installing ripped-off apps for free.
Palo Alto Networks researcher Claud Xiao says the KeyRaider malware, hidden in jailbreaking utilities, is slurping login credentials and GUIDs from the user's iTunes data, and siphoning them off to remote servers.
"We believe this to be the largest known Apple account theft caused by malware," Xiao says.
"The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.
"The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying."
Ransom message on locked iPhone.
Xiao says KeyRaider steals Apple push notification service certificates and private keys, shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.
Affected users are located mainly in China but herald from 17 other countries including Britain, France, the US, and Australia.
Some victims say they are being locked out of phones and forced to pay ransoms.
The malware is bundled into jailbreak tweaks and being served on the Weiphone jailbreak forum by suspected VXer known as mischa07 who specialises in cheats and tweaks.
The attack was discovered by a Yangzhou University student known as i_82 who worked with Xiao alongside a group. Together they exploited an SQL injection vulnerability on the bad guy's server to learn about the attack.
They siphoned about half of the stolen accounts before the VXer became savvy and punted the white hats. They have now set up a website for users to check if they are impacted. ®