Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS Malware “AceDeceiver” Exploits Flaw in Apple DRM

Researchers have discovered a new iOS malware family that abuses design flaws in Apple’s FairPlay digital rights management (DRM) technology to infect devices, even ones that haven’t been jailbroken.

Researchers have discovered a new iOS malware family that abuses design flaws in Apple’s FairPlay digital rights management (DRM) technology to infect devices, even ones that haven’t been jailbroken.

Dubbed “AceDeceiver,” the malware currently targets only users in China, but with some minor tweaks it could be used against iPhone and iPad owners in other countries as well.

According to researchers at Palo Alto Networks, attackers can deliver the malware to iOS devices using a technique known as FairPlay man-in-the-middle (MitM).

Apple’s FairPlay DRM technology is designed to protect apps and other content downloaded from the company’s official stores. When users download applications to their PCs or Macs and want to transfer them to their iOS devices via iTunes, they have to go through an authorization process designed to ensure that the apps were actually purchased by the user.

FairPlay MitM attacks are possible due to design flaws in this authorization process. In such attacks, the attacker intercepts a special code required by Apple for authorization and uses it via a piece of software designed to simulate iTunes to trick the iOS device into believing that the app was purchased.

This technique was first used in early 2013 to install pirated iOS applications and still works to this day. Cybercriminals can silently install AceDeceiver to iOS devices connected to a computer they control by using the authorization codes they obtained from Apple for three malicious apps they managed to upload to the official App Store between July 2015 and February 2016.

Apple has removed the malicious applications, but the attack still works as long as the cybercriminals have the authorization codes, Palo Alto Networks researchers explained.

Attackers uploaded their malicious iOS apps to the Apple App Store by disguising them as harmless-looking wallpaper applications submitted using different developer accounts. Experts believe the malware developers bypassed Apple’s code review because the apps exhibit malicious behavior only when running on devices in China. Whether or not any malicious activity is conducted depends on a value sent to the malware by its command and control (C&C) server, and developers could have ensured that their apps were harmless when they knew Apple was conducting its review.

Bypassing Apple’s review might have also been aided by the fact that the malicious apps were mostly uploaded to App Stores outside of China, including the US and UK stores. Palo Alto Networks discovered that once the apps were reviewed, their developer managed to update them seven times, once again bypassing Apple’s verification.

For FairPlay MitM attacks to work, the attacker must trick the victim into installing a specially crafted piece of software onto their computer. This software mimics iTunes and can install the malware onto iOS devices connected to the computer without the user’s knowledge.

In the attacks observed by experts, cybercriminals leveraged a Windows application called Aisi Helper, which claims to be a piece of software that provides various services for iOS devices, including reinstallation of the system, jailbreaking, backups, system cleaning and device management.

Once AceDeceiver is installed on a device, it directs victims to a third-party app store controlled by the attackers from which they can download other iOS apps and games. The malware also instructs victims to enter their Apple ID and password, which are encrypted and sent to the Trojan’s C&C server.

“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide,” Palo Alto Networks’ Claud Xiao said in a blog post.

AceDeceiver is not the only iOS malware that tailors its behavior based on the victim’s location. Last month, Palo Alto Networks reported discovering ZergHelper, a pirated App Store client targeting iOS users in China, which leveraged this technique to bypass Apple’s review process.

Related: Mac OS X and iOS Infections and Threats on the Rise

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...