iOS is widely regarded to be one of the more secure mobile operating systems. It’s been designed from the ground up to be secure, and consequently has avoided many of the security threats that have plagued Android.
But AceDeceiver is different. It was discovered by Palo Alto Networks earlier this week, and is able to infect factory-configured iPhones without the user realizing, by exploiting fundamental flaws in Apple’s FairPlay DRM system.
From Piracy to Malware
The way AceDeceiver is distributed is based on something called “FairPlay Man-In-the-Middle”, which is a common tactic that has been used since 2013 to install pirated applications on un-jailbroken iPhones and iPads.
When an individual purchases an iPhone application from a computer, the application can be sent immediately to that phone. But between the purchase being made and the application being delivered, there’s a whole bunch of communication happening between the devices, and Apple’s servers.
In particular, Apple will send an authorization code to the iOS device, which essentially affirms to the client device that the application has been legitimately bought. If somebody captures one of these authorization codes, and is able to mimic how Apple’s servers interacts with iOS devices, they will be able send applications to that device.
These applications can be applications that haven’t been permitted by Apple to appear on the App Store, or could be pirated applications.
In this case, the applications being distributed by this novel spin on the “Fairplay Man-In-The-Middle” are malware applications.
Meet Aisi Helper
For this attack, the FairPlay Man-In-The-Middle attack is performed by the Aisi Helper, which is a Windows software application, believed to have been developed in Shenzhen, China.
At face value, it purports to be a legitimate, third-party iDevice management product. It has much of the trappings of legitimate programs. It allows users to jailbreak and backup devices on the local network, and to reinstall iOS if they need to. It’s essentially iTunes, albeit without the music player, and aimed squarely at the Chinese market.
According to ITJuzi, which profiles startups in the Chinese market, it was first released in 2014. Back then, it didn’t contain any malicious behaviors. Since then, it has been extensively modified to use the aforementioned strategy, in order to distribute malware to any connected devices.
When Aisi Helper detects a connected device, it will automatically, and without the consent of the user, start installing the AppDeciever Trojan. The only hint that this is happening, is that a mysterious, and unwanted, application will have appeared in the user’s list of apps.
The AceDeceiver Malware
At the time of writing, there have been three of these Trojans. Each of them have, so far, initially masqueraded as wallpaper apps. Each of these have been made available on the App Store, having passed Apple’s notoriously strict source code checks, where it is reviewed upon submission, and upon each subsequent update. This, in theory, should have prevented them from appearing in the App Store.
Palo Alto Networks believes the developers were able to skirt these checks by submitting them outside of China, and initially making them available to only a handful of markets, like the United Kingdom and New Zealand.
This specific variant of the AceDeciever malware remains dormant unless the device has an IP address in the People’s Republic of China. It’s clear due to this, and to the delivery medium, that it’s aimed at Chinese users. Although it could also impact anyone using a Chinese VPN, or someone traveling within China.
When the malware detects the device is in China, it will transform from being merely an application to download and change wallpwapers, to one that masquerades as several Apple services, like the App Store, and Game Center.
The aim of this is, predictably, to harvest Apple credentials. This would then allow the attacker to purchase applications and e-books they’ve placed on the App Store, and in turn make a healthy profit. However, AppDeciever can’t merely ‘access’ these credentials, as they’re stored securely in an encrypted container.
So, it uses social engineering tactics instead. AceDeceiver will display pop-ups that look like they’ve came from Apple, asking the user to confirm their credentials. When the user complies, these are sent over the network to a remote server.
These applications have since been removed from the store. Despite that, they can still be installed by an attacker, by exploiting the FairPlay Man-In-The-Middle attack.
Should You Be Worried?
So, let’s cut to the chase. Do you have reason to be concerned about this? Well, yes and no.
Right now, the main manifestation of this is centered around China. It targets Chinese iPhones, it’s dormant outside of China, and it uses social engineering tactics that are carefully crafted to be successful against Chinese users.
But despite that, there is cause for concern. After all, it’s based on a tactic that’s been used since 2013 to install pirated software. Three years later, this hole is yet to be closed, and it’s still ultimately exploitable.
The fact that is was successfully published on the App Store three times also raises serious questions about Apple’s ability to keep it malware-free.
Furthermore, as pointed out by Palo Alto Labs, it would be trivial to rework this malware to target users in the US, or Europe.
Right now, there’s not a lot that can be done to combat it. Palo Alto Networks recommend anyone who has installed Aisi Helper immediately uninstall it. They also say that victims should activate two-factor authentication, as well as change their passwords.
They’ve also released two IPS (Intrusion Prevention System) signatures for businesses who use their firewall appliances, in order to block the attack. Sadly, these aren’t available for consumers.
Over To You
Were you affected by the AceDeceiver Malware? Know someone who was? Tell me about it in the comments below.