Apple's non-jailbroken iPhones are considered comparatively safe from malware and security threats. A security research team has discovered a new iOS malware that can infect even the non-jailbroken iPhones by exploiting a vulnerability in Apple's DRM architecture.
AceDeceiver iOS malware targets non-jailbroken devices:
This iOS malware abuses design flaws in Apple's Digital Rights Management (DRM) protection mechanism, and "installs malicious apps on iOS devices regardless of whether they are jailbroken." Dubbed as AceDeceiver, the malware currently uses geotag that is only activated when a user is in China. But with some minor tweaks it could be used to infect iPhone and iPad variants anywhere in the world. First reported by researchers at Palo Alto Networks, attackers can deliver the malware to iOS devices using a technique known as FairPlay man-in-the-middle (MitM).
FairPlay is Apple's software program that prevents people from stealing apps from the App Store. FairPlay MitM approach is used to distribute pirated iOS apps, but in this instance it has been found to install malware. For FairPlay MitM attacks to work, users are first tricked into installing a specially crafted piece of software on their devices. The software then mimics the working of iTunes, installing malware on to iOS devices when they are connected to the computer, without user's knowledge.
Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased.
In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge. - Palo Alto
Attackers uploaded their malicious iOS apps to the App Store by disguising them as wallpaper apps. The security research team has noted that the developers managed to bypass Apple's code review possibly because the apps exhibit nefarious behavior only when run in China. This is the first time FairPlay technique has been used to spread malware on iOS devices. As mentioned before, the malware has only been spotted in China, but it could be easily configured to target iOS users of other regions as well.
Apple has removed the apps after Palo Alto Networks notified the company about AceDeceiver. However, this doesn’t stop the attack from working, researchers have warned, as cyber criminals already have the authorization codes.
