Connect with us

Hi, what are you looking for?


Malware & Threats

iOS Malware “AceDeceiver” Exploits Flaw in Apple DRM

Researchers have discovered a new iOS malware family that abuses design flaws in Apple’s FairPlay digital rights management (DRM) technology to infect devices, even ones that haven’t been jailbroken.

Researchers have discovered a new iOS malware family that abuses design flaws in Apple’s FairPlay digital rights management (DRM) technology to infect devices, even ones that haven’t been jailbroken.

Dubbed “AceDeceiver,” the malware currently targets only users in China, but with some minor tweaks it could be used against iPhone and iPad owners in other countries as well.

According to researchers at Palo Alto Networks, attackers can deliver the malware to iOS devices using a technique known as FairPlay man-in-the-middle (MitM).

Apple’s FairPlay DRM technology is designed to protect apps and other content downloaded from the company’s official stores. When users download applications to their PCs or Macs and want to transfer them to their iOS devices via iTunes, they have to go through an authorization process designed to ensure that the apps were actually purchased by the user.

FairPlay MitM attacks are possible due to design flaws in this authorization process. In such attacks, the attacker intercepts a special code required by Apple for authorization and uses it via a piece of software designed to simulate iTunes to trick the iOS device into believing that the app was purchased.

This technique was first used in early 2013 to install pirated iOS applications and still works to this day. Cybercriminals can silently install AceDeceiver to iOS devices connected to a computer they control by using the authorization codes they obtained from Apple for three malicious apps they managed to upload to the official App Store between July 2015 and February 2016.

Apple has removed the malicious applications, but the attack still works as long as the cybercriminals have the authorization codes, Palo Alto Networks researchers explained.

Attackers uploaded their malicious iOS apps to the Apple App Store by disguising them as harmless-looking wallpaper applications submitted using different developer accounts. Experts believe the malware developers bypassed Apple’s code review because the apps exhibit malicious behavior only when running on devices in China. Whether or not any malicious activity is conducted depends on a value sent to the malware by its command and control (C&C) server, and developers could have ensured that their apps were harmless when they knew Apple was conducting its review.

Advertisement. Scroll to continue reading.

Bypassing Apple’s review might have also been aided by the fact that the malicious apps were mostly uploaded to App Stores outside of China, including the US and UK stores. Palo Alto Networks discovered that once the apps were reviewed, their developer managed to update them seven times, once again bypassing Apple’s verification.

For FairPlay MitM attacks to work, the attacker must trick the victim into installing a specially crafted piece of software onto their computer. This software mimics iTunes and can install the malware onto iOS devices connected to the computer without the user’s knowledge.

In the attacks observed by experts, cybercriminals leveraged a Windows application called Aisi Helper, which claims to be a piece of software that provides various services for iOS devices, including reinstallation of the system, jailbreaking, backups, system cleaning and device management.

Once AceDeceiver is installed on a device, it directs victims to a third-party app store controlled by the attackers from which they can download other iOS apps and games. The malware also instructs victims to enter their Apple ID and password, which are encrypted and sent to the Trojan’s C&C server.

“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide,” Palo Alto Networks’ Claud Xiao said in a blog post.

AceDeceiver is not the only iOS malware that tailors its behavior based on the victim’s location. Last month, Palo Alto Networks reported discovering ZergHelper, a pirated App Store client targeting iOS users in China, which leveraged this technique to bypass Apple’s review process.

Related: Mac OS X and iOS Infections and Threats on the Rise

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.