Malware Exploits Apple DRM to Infect iPhones
Mar 19, 2016 10:00 AM PT
Security researchers at Palo Alto Networks Unit 42 on Wednesday announced they had discovered in the wild a method of infecting nonjailbroken iPhones with malware by exploiting design flaws in Apple's digital rights management technology.
The flaw has been exploited since 2013 largely as a means to pirate iOS software, but this is the first time it's been used to infect iPhones with malware, researcher Claud Xiao said.
"This is a fairly sophisticated attack," said Steve Kelly, president of Intego.
"There's a lot of moving pieces in this," he told TechNewsWorld. "Somebody put quite a bit of effort in creating this. "
The attack works like this: The malware author purchases a legitimate app through the ITunes app. During the download process, the hacker intercepts the authorization code that accompanied the software. iOS devices use that code to authenticate the app.
Once in possession of the code, the hacker writes a PC program touted to provide some utility for a user. The program, called "Aisi Helper," purports to provide services for iOS devices such as system reinstallation, jailbreaking, system backup, device management and system cleaning.
When the program runs, however, it emulates the iTunes client in the background and uses the intercepted authorization code to send infected apps to an iPhone secretly.
Three infected apps were uploaded to the App Store from July to February, Xiao said. Each managed to avoid detection by Apple by tailoring its behavior to a geographic region.
"Apple removed these three apps from the App Store after we reported them in late February 2016," he noted.
"However, the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn't require current App Store availability to spread those apps," Xiao continued.
While the malware, which Palo Alto calls "AceDeceiver," appears to affect only users in mainland China, it's a sign of bigger problems for Apple because it's a blueprint for infecting nonjailbroken iPhones, he noted.
"As a result, it's likely we'll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique," Xiao said.
Can't Blame Jailbreakers
With the recent introduction of ransomware for Linux and OS X, it's apparent that malware writers are trying to expand their reach, noted Adrian Liviu Arsene, a senior threat analyst with Bitdefender.
"This is the first time that we've seen malware as an application installed on an iPhone that was not jailbroken," he told TechNewsWorld. "If that can happen, the sky's the limit."
Although Apple removed the infected wallpaper apps from the App Store as soon as Palo Alto notified it about them, it may have been surprised by the attack, maintained Vishal Gupta, CEO of Seclore.
"Most attacks happen on jailbroken devices. Apple says it's not responsible for jailbroken devices, and that's usually where the story ends," he told TechNewsWorld.
"This time it's Apple's responsibility," Gupta said, "and there's no way Apple can shrug this off."
Data Protection Needed
Apple and other hardware makers need to focus more resources on protecting the data on phones, he maintained.
"Apple and others are too busy securing their devices. This device-centric view is, unfortunately, a challenge in the present security posture of a lot companies, including Apple," Gupta said.
"People are not interested in securing devices -- they're interested in securing their data," he continued.
"If you lose your phone, you'll feel sad about it, but you can always buy another phone," Gupta added. "But if you lose you're data, that can be something very difficult to replace."