Users of Apple iPhones are exposed to a malicious malware that is stealing account information to make illicit purchases and demand ransom from the device owners. Researchers at Palo Alto Networks along with Chinese tech group WeipTech discovered the malware, nicknamed KeyRaider, infecting only the jailbroken iPhones.

According to the security company, the notorious attack is said to be "the largest known Apple account theft caused by malware".

Jailbreaking an iPhone is a common practice among users, who wish to break the restrictions laid out by Apple. By doing so, iPhone users can download and install unapproved third party apps, themes and extensions. But there are risks associated with such a practice as iPhones are highly susceptible to get malicious malware.

In a detailed research paper by Palo Alto Networks on the discovery of KeyRaider and how it impacts the users, the security firm said the malware is distributed through third party Cydia repositories in China.

However, KeyRaider's impact is not limited to Chinese users and affects users from 18 countries, including France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

According to Palo Alto Networks, KeyRaider is more advanced than previous iOS malware such as AppBuyer. After infecting a jailbroken iOS device, KeyRaider steals the Apple account username and password, device GUID, certificates and private keys used by Apple Push Notifications, and also prevents the owner of the device to unlock using passcode or iCloud service. The malware also acts as ransomware demanding ransom from users to set free the device.

"It [KeyRaider] can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple's push server. Because of this functionality, some of previously used "rescue" methods are no longer effective," Palo Alto Networks explained.

How to protect your iPhone from KeyRaider?

According to Palo Alto Networks, follow the steps below to free your iPhone from KeyRaider's clutches:

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory-
  • wushidou
  • gotoip4
  • bamu
  • getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

It is strongly suggested that users change their Apple account password and enable two-factor verification for the added security.