Greatest iOS theft ever — who needs to worry about KeyRaider malware

September 4, 2015

While iOS is notorious for being innately secure, headlines over the past three days have challenged that. The noise was brought upon by a ‘terrible’ KeyRaider hack, which compromised more than 225,000 iPhone accounts. Boo!

KeyRaider malware affects only jailbroken devices. Who needs to worry?

The truth is that the vast majority of iPhone and iPad users (almost all of them actually) don’t have to worry about this malware. KeyRaider affects only jailbroken devices — it cannot break in an iPhone if its owner did not hack beforehand himself. Owners of ‘legal’ Apple devices can take a breather.

When it comes to Apple devices, you can either accept the limits implied by the manufacturer or jailbreak your device to have greater customization and access to new features. Risks come hand in hand with freedom, which you’ve just acquired, as you are giving malware the same access.

So don’t jailbreak your iPhone or iPad, or you may end dealing with malware, which has already infected devices from 18 countries, including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea. The majority of the victims are from China.

If you still want to jailbreak your device, it does not necessarily mean that you’ll be infected. To catch up with a virus you have to install an app from a third-party Cydia repository. After that your device will be upgraded with a free malware that can steal usernames, passwords and unique device identifiers and send it to a remote server run by malicious hackers.

KeyRaider can also lock your Apple device and demand a ransom for returning access to the files back to you. It’s very nasty malware, to put it shortly.

In July 2015, WeipTech experts started checking iPhone and iPad users complains on having unauthorized purchases and discovering iOS apps, which they had not installed. Researchers managed to track the criminals and breach into the server, which belonged to hackers. They gathered data and even reverse-engineered the jailbreak tweak to find out how it worked.

WeipTech experts called it the biggest theft ever involving Apple accounts. Even if the malware affects only jailbroken devices, it’s really critical for victims. About a quarter of a million users have already fallen victim.

If you think you might be one of them, check this website created by the WeipTech company. It’s in Chinese, but you can use Google Translate.

Researchers at WeipTech also suggest an alternative method. The manual is rather hardcore, but a geek who can jailbreak an iOS device will surely cope with it. Well, you can:

  • Install openssh server through Cydia
  • Connect to the device through SSH
  • Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory: wushidou, gotoip4, bamu, getHanzi

If you find any of these strings in any file in the directory, you should delete the file and delete the plist file with the same filename. Then reboot the device. After that it’s strongly recommended to change your Apple account password, and enable two-factor verifications for Apple IDs.