March 31, 2016

AceDeciever: the malware that can infect ANY iPhone

News Threats

Apple iPhone users usually consider their phones as impregnable fortresses that Apple has built for them: iPhones are often said to be secure and safe, especially when compared to Android devices. Yes, iPhones are really more secure than Android phones, but that doesn’t mean that they are totally secure. You know, there are no fortresses that can not be conquered.

AceDeciever: the malware that can infect ANY iPhone

We’ve already covered not just one but several nasty iOS threats and gave some advice on securing your Apple gadgets. However malware for iOS continues to emerge and the most recent sample discovered by Palo Alto Networks seems to be one of the most dangerous so far.

Why? Because it neither requires your iOS device to be jailbroken nor it uses some stolen corporate certificate to install malicious software. The new malware family is called AceDeciever and it is capable of infecting pretty much any iOS device.

The rather good intentions

Everything started with someone’s novel idea not to pay for what they want to get. In this case it was a method to pirate iOS apps called FairPlay Man-in-the-Middle attack. We won’t spend much time here explaining the concept of Man-in-the-Middle attacks — you can learn about them from a dedicated post here. And here we’d rather focus on what FairPlay is and how AceDeciever actually works.

FairPlay is the DRM protection that Apple uses for music and videos as well as for iOS apps. As you probably know, iPhone users can purchase apps in iTunes client on their computer and then transfer them to their phones. Of course, it requires proof that the user really had purchased the app. This proof is delivered via an authorization code generated by iTunes for every application. That’s how FairPlay works.

The thing is, the code is always the same for any given application. And if you’ve managed to intercept it once, you can use it to install the same app to countless number of iPhones and iPads. That’s basically how FairPlay Man-in-the-Middle works.

AceDeciever: the malware that can infect ANY iPhone

The app with two faces

Eventually, the method had evolved into creating a full-featured pirate app store. It was based on a Windows program called Aisi Helper that initially was used to jailbreak iPhones, back up data and reinstall iOS. A new function was added to this tool — it started injecting an app with the same name into any iPhone connected to a computer with Aisi Helper installed. That app would display a lot of pirated apps that users could download for free.

Curiously, this Aisi Helper app itself was being installed to iPhones using the same FairPlay Man-in-the-Middle technique. That’s why in order to inject Aisi Helper to iPhones creators of the app needed to upload it to App Store at first, to obtain a legitimate authentication code for this very app. The problem was, Apple doesn’t really like pirate app shops in the App Store.

To seduce Apple code reviewers, Aisi Helper pretended to be a harmless and boring free wallpapers app. To be sure nobody ever revealed the truth, the culprits used a double trick. On one hand, they published versions of this app only in US and UK App Stores , beyond the reach of Chinese users. On the other hand, when launched first time, the app checked phone’s location and if it was not in China, it showed only wallpapers (and has done so since then).

Hence to see the real pirate store interface US App Store code reviewers as well as any random user have to be in China which is very unlikely. That’s why nobody ever noticed that the app is something more than yet another set of wallpapers.

Apple has by now removed all versions of the Aisi Helper app from the App Store. But it turns out that it doesn’t mean the end of life for this malware. In order to perform a FairPlay Man-in-the Middle attack you don’t actually need to have an app in the App Store. The requirement is that it has been there once. And that’s 100% true for Aisi Helper’s ‘wallpaper/pirate-store apps’.

The unFair Play

So what’s wrong with a pirate app store aside from legal and moral issues? Well, if someone tells you something like: ‘I’ve stolen that and now I give it to you for free,’ — don’t believe it. Never. There’s 99.9% chance that’s you are being fooled.

And that’s exactly the case with this app. These apps were harmless for their users for a while. But at certain point, these apps started asking their users to input their Apple ID logins and passwords “for more features.” After that those credentials were uploaded to AceDeciever’s command server.

I think, now it’s rather clear why are we talking about AceDeciever here on Kaspersky Daily. The flaw in FairPlay’s security is still not patched. And even if it would be, the older OS version would probably remain vulnerable to the very same attack.

OK, how do I protect myself?

The good news is that this particular attack does not target people outside of mainland China. The bad news is that it’s rather easy for bad guys to exploit this vulnerability once again and make some new malware that would target other countries and do even more harm. That is to say no matter whether you live in China or not, we suggest you do the following:

1. Don’t try to jailbreak your iPhone. It never was safe, and as you can see, the very software required to perform this operation is not safe as well.

2. We always have suggested to use this rule for Google Play, but it looks like it’s suitable for App Store as well: pay attention to the apps you are installing. AceDeceiver’s creators have proven that Apple code reviews can be bypassed with certain trickery. Unfortunately, antivirus software is not allowed in iOS, so once malware is inside, you’re on your own.

3. Fortunately, you can protect your other devices. Be sure to have good security solutions everywhere you can. In this example an anti-virus software on the PC would have detected Aisi Helper as malicious AceDeciever.