AceDeceiver iOS malware. Insidiously clever.

TeksquisiteSecurity Technology Editor
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Security researcher and engineer Claud Xiao writes at the Palo Alto Research Center blog: “What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”

Xiao elaborates:

Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.

Xiao says that the hackers “developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”

MITM attack

A Windows malware program known as Aisi Helper (a rogue backup and jailbreak tool) acts as the man-in-the-middle in this MITM attack:

From July of 2015 to February 2016, the hackers uploaded three AceDeceiver iOS rogue wallpaper apps to the official App Store. The apps were able to bypass Apple’s code review. Currently, AceDeceiver only displays malicious behaviors when a user is located in China. Xiao says changing the geographical location “would be easy for the attacker to change in any time.”

Silver lining

According to security expert Graham Cluley, there is a silver lining that iOS users are only in “the firing line if you connect your iPhone or iPad to your Windows PC and live in China.”  Cluley also says in order for a successful attack to succeed, “the Windows computer — which is to be connected to the iOS device — has to have already been compromised with malware.

Though Cupertino pulled the apps last month, Xiao warns:

 . . . the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps.

Expanding horizons

 Palo Alto Networks anticipates this new attack technique to spread far beyond China and affect other geographical regions around the world. Xiao says that the AceDeceiver attack is far more dangerous than previous ones for the following reasons:

  1. It doesn’t require an enterprise certificate, so this kind of malware is not under the control of the mobile device management system, and its execution doesn’t need user’s confirmation of trusting anymore.
  2. It hasn’t been patched and even when it is, it’s likely the attack would still work on older versions of iOS systems.
  3. Even though these apps have been removed from the App Store, that doesn’t affect the attack. Attackers do not need the malicious apps to be always available in App Store for them to spread — they only require the apps ever available in App Store once, and require the user to install the client to his or her PC. However, ZergHelper and AceDeceiver have shown how easy it can be to bypass Apple’s code review process and get malicious apps into the App Store.
  4. The attack doesn’t require victims to manually install the malicious apps; instead, it does that for them. That’s why they can be only available in a few regions’ App Store without affecting the success of the attack. This also makes them much harder to be discovered by Apple or by security firms researching iOS vulnerabilities.
  5. While the attack requires a user’s PC to be infected by malware first, after that, the infection of iOS devices is completed in the background without the user’s awareness. The only indication is that the new malicious app does appear as an icon in the user’s home screen, so the user may notice a new app he or she won’t recall downloading.

Insidiously clever

Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices–and thus a threat to Apple device users worldwide.

Indeed, these malicious hackers are exceptionally stealth and insidiously clever — it looks like the iOS threat landscape is heating up.

Palo Alto Networks provides a complete and fascinating analysis of AceDeceiver malware in the source section listed below.

Source: Palo Alto Networks

This post originally appeared at the Fortscale Insider Blog.
TeksquisiteSecurity Technology Editor

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.