Security Experts:

iOS Malware "AceDeceiver" Exploits Flaw in Apple DRM

Researchers have discovered a new iOS malware family that abuses design flaws in Apple’s FairPlay digital rights management (DRM) technology to infect devices, even ones that haven’t been jailbroken.

Dubbed “AceDeceiver,” the malware currently targets only users in China, but with some minor tweaks it could be used against iPhone and iPad owners in other countries as well.

According to researchers at Palo Alto Networks, attackers can deliver the malware to iOS devices using a technique known as FairPlay man-in-the-middle (MitM).

Apple’s FairPlay DRM technology is designed to protect apps and other content downloaded from the company’s official stores. When users download applications to their PCs or Macs and want to transfer them to their iOS devices via iTunes, they have to go through an authorization process designed to ensure that the apps were actually purchased by the user.

FairPlay MitM attacks are possible due to design flaws in this authorization process. In such attacks, the attacker intercepts a special code required by Apple for authorization and uses it via a piece of software designed to simulate iTunes to trick the iOS device into believing that the app was purchased.

This technique was first used in early 2013 to install pirated iOS applications and still works to this day. Cybercriminals can silently install AceDeceiver to iOS devices connected to a computer they control by using the authorization codes they obtained from Apple for three malicious apps they managed to upload to the official App Store between July 2015 and February 2016.

Apple has removed the malicious applications, but the attack still works as long as the cybercriminals have the authorization codes, Palo Alto Networks researchers explained.

Attackers uploaded their malicious iOS apps to the Apple App Store by disguising them as harmless-looking wallpaper applications submitted using different developer accounts. Experts believe the malware developers bypassed Apple’s code review because the apps exhibit malicious behavior only when running on devices in China. Whether or not any malicious activity is conducted depends on a value sent to the malware by its command and control (C&C) server, and developers could have ensured that their apps were harmless when they knew Apple was conducting its review.

Bypassing Apple’s review might have also been aided by the fact that the malicious apps were mostly uploaded to App Stores outside of China, including the US and UK stores. Palo Alto Networks discovered that once the apps were reviewed, their developer managed to update them seven times, once again bypassing Apple’s verification.

For FairPlay MitM attacks to work, the attacker must trick the victim into installing a specially crafted piece of software onto their computer. This software mimics iTunes and can install the malware onto iOS devices connected to the computer without the user’s knowledge.

In the attacks observed by experts, cybercriminals leveraged a Windows application called Aisi Helper, which claims to be a piece of software that provides various services for iOS devices, including reinstallation of the system, jailbreaking, backups, system cleaning and device management.

Once AceDeceiver is installed on a device, it directs victims to a third-party app store controlled by the attackers from which they can download other iOS apps and games. The malware also instructs victims to enter their Apple ID and password, which are encrypted and sent to the Trojan’s C&C server.

“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide,” Palo Alto Networks’ Claud Xiao said in a blog post.

AceDeceiver is not the only iOS malware that tailors its behavior based on the victim’s location. Last month, Palo Alto Networks reported discovering ZergHelper, a pirated App Store client targeting iOS users in China, which leveraged this technique to bypass Apple’s review process.

Related: Mac OS X and iOS Infections and Threats on the Rise

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.