iPhone and iPad users beware! A new trojan has been discovered by Palo Alto Networks that can infect even non-jailbroken iOS devices through PCs without having to exploit an enterprise certificate. The malware named “AceDeceiver” is currently affecting iOS users in China and is able to do so by exploiting design flaws in Apple?s Digital Rights Mechanism (DRM) system.
The malware bypasses the Apple?s DRM protection system called FairPlay to install malicious apps on iOS devices. The technique called ?FairPlay Man-In-The-Middle (MITM)? has been used since 2013 by using fake iTunes software and spoofed authorization codes to spread pirated iOS apps but this is first time it?s being used to spread malware.
How ?AceDeceiver? works?
The AceDeceiver actually targets the users who download apps from the App Store using their PCs with the help of iTunes client. Apple allows purchase and download of iOS apps on iTunes which can then be installed to iOS devices, upon approval of request an authorization code for each app to prove that they were purchased.
In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user?s knowledge.
From July of 2015 to February of 2016, three AceDeceiver iOS apps were uploaded to the official iOS App Store, posing as wallpaper apps and providing attackers with a fake authorization code to use in the trojan attacks.
An iPhone management app for Windows PC called “Aisi Helper” that purports to be software providing services system re-installation, jailbreaking, system backup, device management and system cleaning, instead goes on to install malicious iOS apps on connected devices.
These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. The third party App Store offers free content to bait users into submitting their Apple IDs and password, the info which is then uploaded to the AceDeceiver server.
What can you do?
AceDeceiver in its current form requires users to download the Aisi Helper Windows app to their PCs in order for the malware to spread to iOS devices, so people who have downloaded this software should remove it immediately and change their Apple ID passwords.
So people need to avoid this app at all cost and take care of their device by avoiding any other suspicious softwares. This is precisely one of the reasons why security of your Apple device is needed and users should avoid jailbreaking their devices.
Though Apple removed the original AceDeceiver iOS apps from the App Store last February (the ones used by the hackers to obtain the authorization codes), the attack remains active because attackers still have the authorization codes necessary to install fake apps on iOS devices. AceDeceiver only affects users in China, but Palo Alto Networks believes the AceDeceiver trojan or similar malware could spread to additional regions in the future.