Jailbroken Apple iPhone users should set up two-factor authentication (2FA) to block KeyRaider iOS malware, says security firm Rapid7.
More than 225,000 Apple accounts have been stolen in China by the cyber thieves behind the malware, according to researchers at Palo Alto Networks.
KeyRaider also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information and disables local and remote unlocking functionalities on iPhones and iPads.
Any malware capable of stealing credentials for jailbroken iPhones is of particular concern in the enterprise environment, where a growing number of personal iPhones are being used to access corporate email and other IT systems.
The KeyRaider iOS Malware was discovered by WeipTech and researched in collaboration with Palo Alto Networks.
“We believe this to be the largest known Apple account theft caused by malware,” Palo Alto said in a blog post.
Although most people targeted by KeyRaider are in China, the researchers found iPhone owners in 17 other countries have also been hit, including the UK and four other countries in Europe.
Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state their phones have been held for ransom.
Jailbroken iPhones have been manipulated using software exploits to remove Apple restrictions to allow the devices to run apps from non-Apple sources.
But security advisors have repeatedly warned against jailbreaking iOS devices because this enables devices to run apps that have not been subjected to Apple’s security checks.
Unlike the official Apple App Store, third-party app suppliers do not check the software they distribute for malicious content.
“While jailbreaking opens up the system to grant more freedom to the user, it increases the risk of an iOS device being infected with malware or attacked in other ways,” said Guillaume Ross, senior security consultant of strategic services at Rapid7.
“We highly recommend users who think they might have been impacted to change their Apple ID passwords. To protect accounts against password theft and increase account security in general, enabling two-step verification is an important action everyone using an Apple ID can perform,” he said.
The malware, which was distributed on Weiphone’s Cydia Repositories for jailbroken iOS devices, exploits Cydia Substrate (formerly MobileSubstrate), which is a software package only used on jailbroken devices.
Unlike other Cydia sources, such as BigBoss or ModMyi, Weiphone provides private repository functionality for each registered user so they can directly upload their own apps and tweaks and share them with each other.
The malware was contained in two “tweaks” for jailbroken iPhones that claimed to enable users to download applications from the official App Store and make in-app purchases without paying, but this was done using another person’s stolen Apple account.
Users who do not use a jailbroken device are not affected by the KeyRaider malware, but for users of jailbroken iPhones, Palo Alto Networks has provided instructions on how to verify if a device is infected.