Malware Exploits Apple DRM to Infect iPhones

Security researchers atPalo Alto Networks Unit 42 on Wednesday announced they had discovered in the wild a method of infecting nonjailbroken iPhones with malware by exploiting design flaws in Apple’s digital rights management technology.

The flaw has been exploited since 2013 largely as a means to pirate iOS software, but this is the first time it’s been used to infect iPhones with malware, researcher Claud Xiao said.

“This is a fairly sophisticated attack,” said Steve Kelly, president ofIntego.

“There’s a lot of moving pieces in this,” he told TechNewsWorld. “Somebody put quite a bit of effort in creating this. “

The Attack

The attack works like this: The malware author purchases a legitimate app through the ITunes app. During the download process, the hacker intercepts the authorization code that accompanied the software. iOS devices use that code to authenticate the app.

Once in possession of the code, the hacker writes a PC program touted to provide some utility for a user. The program, called “Aisi Helper,” purports to provide services for iOS devices such as system reinstallation, jailbreaking, system backup, device management and system cleaning.

When the program runs, however, it emulates the iTunes client in the background and uses the intercepted authorization code to send infected apps to an iPhone secretly.

Three infected apps were uploaded to the App Store from July to February, Xiao said. Each managed to avoid detection by Apple by tailoring its behavior to a geographic region.

China Connection

“Apple removed these three apps from the App Store after we reported them in late February 2016,” he noted.

“However, the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps,” Xiao continued.

While the malware, which Palo Alto calls “AceDeceiver,” appears to affect only users in mainland China, it’s a sign of bigger problems for Apple because it’s a blueprint for infecting nonjailbroken iPhones, he noted.

“As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique,” Xiao said.

Can’t Blame Jailbreakers

With the recent introduction of ransomware forLinux andOS X, it’s apparent that malware writers are trying to expand their reach, noted Adrian Liviu Arsene, a senior threat analyst withBitdefender.

“This is the first time that we’ve seen malware as an application installed on an iPhone that was not jailbroken,” he told TechNewsWorld. “If that can happen, the sky’s the limit.”

Although Apple removed the infected wallpaper apps from the App Store as soon as Palo Alto notified it about them, it may have been surprised by the attack, maintained Vishal Gupta, CEO ofSeclore.

“Most attacks happen on jailbroken devices. Apple says it’s not responsible for jailbroken devices, and that’s usually where the story ends,” he told TechNewsWorld.

“This time it’s Apple’s responsibility,” Gupta said, “and there’s no way Apple can shrug this off.”

Data Protection Needed

Apple and other hardware makers need to focus more resources on protecting the data on phones, he maintained.

“Apple and others are too busy securing their devices. This device-centric view is, unfortunately, a challenge in the present security posture of a lot companies, including Apple,” Gupta said.

“People are not interested in securing devices — they’re interested in securing their data,” he continued.

“If you lose your phone, you’ll feel sad about it, but you can always buy another phone,” Gupta added. “But if you lose you’re data, that can be something very difficult to replace.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels