A major new iOS malware threat dubbed “AceDeceiver” has been uncovered by security firm Palo Alto Networks, which said it is targeting non-jailbroken iDevices via a flaw in Apple’s DRM mechanism.
Palo Alto Networks said the threat was particularly notable as it manages to get on to devices without having to dupe any certification processes.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all,” Palo Alto says in a blog post.
AceDeceiver is abusing a design flaw in Apple’s DRM protection mechanism called FairPlay via a technique called “FairPlay Man-in-the-Middle”, enabling attackers to install malicious apps on iOS devices while bypassing Apple’s baked-in security measures.
It can do so without a user knowing, too, and the only tell-tale sign will be a new app icon showing on an iPhones’ home screen.
Palo Alto notes that while this technique has been used by hackers since 2013, this is the first time that it’s been exploited to spread malware.
“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.
They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim,” the security firm explains.
“Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”
Three different iOS apps in the AceDeceiver family were uploaded to Apple’s App Store between July 2015 and February 2016, and all of them claimed to be innocent wallpaper apps.
Apple cleared the App Store of these apps back in February, albeit after they had managed to bypass its security seven times, but Palo Alto notes that even with the apps no longer available, they could still wreak havoc on iPhones and iPads.
“Even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”
There’s no need to panic just yet, though, as Palo Alto notes that, for now at least, AceDeceiver is only targeting users in China.
While you don’t need to panic yet, Palo Alto notes that AceDeceiver demonstrates how easy it can be for malware to infect non-jailbroken devices, which could pave the way for similar threats to start cropping up in more regions soon.
“AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices.
As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.”
The firm has also issued a stark warning to iPhone and iPad-wielding businesses, adding: “Since AceDeceiver also spreads via enterprise certificates, we suggest that enterprises check for unknown or abnormal provision profiles as well.”
Palo Alto networks has notified Apple of the malware threat, but it has yet to be patched.
The firm has a track record of uncovering iOS and Mac OS X issue, such as the Wirelurker threat that came to light in late 2014.
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3’s sister site Computing’s Enterprise Security and Risk Management conference, taking place on 24 November.