{"id":5159,"date":"2015-09-04T02:31:27","date_gmt":"2015-09-04T06:31:27","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=5159"},"modified":"2019-11-22T15:38:29","modified_gmt":"2019-11-22T10:08:29","slug":"greatest-ios-theft-ever-who-needs-to-worry-about-keyraider-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/greatest-ios-theft-ever-who-needs-to-worry-about-keyraider-malware\/5159\/","title":{"rendered":"Greatest iOS theft ever \u2014 who needs to worry about KeyRaider malware"},"content":{"rendered":"<div class=\"entry-content\">\n<div>\n<p>While iOS is notorious for being innately secure, headlines over the past three days have challenged that. The noise was brought upon by a \u2018terrible\u2019 KeyRaider hack, which compromised <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2015\/08\/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia\/\" target=\"_blank\" rel=\"noopener nofollow\">more than 225,000 iPhone accounts<\/a>. Boo!<\/p>\n<p>The truth is that the vast majority of iPhone and iPad users (almost all of them actually) don\u2019t have to worry about this malware. KeyRaider affects <a href=\"http:\/\/bgr.com\/2015\/08\/27\/best-jailbreak-tweaks-top-10-iphone-aug\/\" target=\"_blank\" rel=\"noopener nofollow\">only jailbroken devices<\/a> \u2014 it cannot break in an iPhone if its owner did not hack beforehand himself. Owners of \u2018legal\u2019 Apple devices can take a breather.<\/p>\n<p>When it comes to Apple devices, you can either accept the limits implied by the manufacturer or jailbreak your device to have greater customization and access to new features. Risks come hand in hand with freedom, which you\u2019ve just acquired, as you are giving malware the same access.<\/p>\n<p><a href=\"https:\/\/twitter.com\/flargh\/status\/639142421750792192\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/twitter.com\/flargh\/status\/639142421750792192<\/a><\/p>\n<p>So don\u2019t jailbreak your iPhone or iPad, or you may end dealing with malware, which has already infected devices from 18 countries, including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea. The majority of the victims are from China.If you still want to jailbreak your device, it does not necessarily mean that you\u2019ll be infected. To catch up with a virus you have to install an app from a third-party Cydia repository. After that your device will be upgraded with a free malware that can steal usernames, passwords and unique device identifiers and send it to a remote server run by malicious hackers.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">KeyRaider <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Malware<\/a> Steals Certs, Keys &amp; Account Data From Jailbroken <a href=\"https:\/\/twitter.com\/hashtag\/iPhones?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iPhones<\/a>: <a href=\"http:\/\/t.co\/RKlDhcJc1m\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/RKlDhcJc1m<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/IZ90PMfRXx\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/IZ90PMfRXx<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/638431344297648128?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 31, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>KeyRaider can also lock your Apple device and demand a ransom for returning access to the files back to you. It\u2019s very nasty malware, to put it shortly.In July 2015, WeipTech experts started checking iPhone and iPad users complains on having unauthorized purchases and discovering iOS apps, which they had not installed. Researchers managed to track the criminals and breach into the server, which belonged to hackers. They gathered data and even reverse-engineered the <a href=\"http:\/\/bgr.com\/tag\/jailbreak\/\" target=\"_blank\" rel=\"noopener nofollow\">jailbreak<\/a> tweak to find out how it worked.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Greatest #iOS theft ever \u2014 who needs to worry about #KeyRaider #malware<\/p>\n<p><a class=\"btn btn-twhite\" href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fmy8P&amp;text=Greatest+%23iOS+theft+ever+%E2%80%94+who+needs+to+worry+about+%23KeyRaider+%23malware\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/p><\/blockquote>\n<p>WeipTech experts called it the biggest theft ever involving Apple accounts. Even if the malware affects only jailbroken devices, it\u2019s really critical for victims. About a quarter of a million users have already fallen victim.<\/p>\n<p>If you think you might be one of them, check this <a href=\"http:\/\/www.weiptech.org\/\" target=\"_blank\" rel=\"noopener nofollow\">website created by the WeipTech company<\/a>. It\u2019s in Chinese, but you can use Google Translate.<\/p>\n<p>Researchers at WeipTech also suggest an <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2015\/08\/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia\/\" target=\"_blank\" rel=\"noopener nofollow\">alternative method<\/a>. The manual is rather hardcore, but a geek who can jailbreak an iOS device will surely cope with it. Well, you can:<\/p>\n<ul>\n<li>Install openssh server through Cydia<\/li>\n<li>Connect to the device through SSH<\/li>\n<li>Go to \/Library\/MobileSubstrate\/DynamicLibraries\/, and grep for these strings to all files under this directory: wushidou, gotoip4, bamu, getHanzi<\/li>\n<\/ul>\n<p>If you find any of these strings in any file in the directory, you should delete the file and delete the plist file with the same filename. Then reboot the device. After that it\u2019s strongly recommended to change your Apple account password, and <a href=\"https:\/\/support.apple.com\/en-us\/HT204152\" target=\"_blank\" rel=\"noopener nofollow\">enable two-factor verifications for Apple IDs<\/a>.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>While iOS is notorious for being innately secure, headlines over the past three days have challenged that. The noise was brought upon by a \u2018terrible\u2019 KeyRaider hack, which compromised more<\/p>\n","protected":false},"author":522,"featured_media":5160,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2196],"tags":[1191,78,1219,100,26,1192,36,430,443,97,45],"class_list":{"0":"post-5159","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apple-china","10":"tag-hackers","11":"tag-ios","12":"tag-ipad","13":"tag-iphone","14":"tag-keyraider","15":"tag-malware-2","16":"tag-mobile-devices","17":"tag-ransomware","18":"tag-security-2","19":"tag-smartphones"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/greatest-ios-theft-ever-who-needs-to-worry-about-keyraider-malware\/5159\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/greatest-ios-theft-ever-who-needs-to-worry-about-keyraider-malware\/3414\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/apple-china\/","name":"apple China"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/522"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=5159"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5159\/revisions"}],"predecessor-version":[{"id":17778,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5159\/revisions\/17778"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/5160"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=5159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=5159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=5159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}