Researchers have just discovered a new malware threat for iOS devices that uses Apple’s own FairPlay DRM system as a delivery vector.
Dubbed “AceDeciever” by the researchers, the malware in question can technically infect any type of iOS device, jailbroken or not, if a user downloads a third-party app.
The three offending iOS apps have been found on the App Store and removed by Apple. Now that this malicious code has been approved via the App Store, however, the apps can infect iOS devices via a false Windows app, making the malware still viable. Worse yet, other attacks of this type could be coming in the future.
The three apps in the AceDeciever family all claimed to be wallpaper apps for iOS and somehow got past Apple’s review for malicious code in the App Store.
In what’s being called the “FairPlay man-in-the-middle” attack, hackers use authentications codes from App Store apps and simulate an iTunes client (which lets legitimate users install apps from their computer) to trick iOS devices into thinking the app was bought by the victims of the hack. That way, a user can install apps they haven’t paid for and the hackers can potentially install malicious apps like these without the user knowing.
While this attack vector has been around for a while (to allow installation of apps users haven’t paid for), this is the first time it’s been used to spread malware.
If an iOS user downloads a Windows utility that purports to help jailbreak an iPhone called Aisi Helper, the malicious apps can be installed to any connected iOS device, according to the security researchers.
Obviously, you don’t want to download the Windows app above, and should always be wary of apps for any platform that promise jailbreaking, iPhone utilities and quasi-legal access to cracked apps, as Aisi Helper does.
“The bigger issue, however, is that AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices,” writes Claud Xiao, one of the researchers. “As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.”
Source: Palo Alto Networks