Jailbroken iPhones and iPads have been targeted in a hack that has allowed 20,000 users to abuse 225,000 stolen Apple accounts to make App Store purchases without payment.
A Palo Alto Networks blog post this week said the malware, named KeyRaider, has harvested account information from 18 countries, including Australia, to send to a "command and control server (C2)" server.
"Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom," wrote Palo Alto security researcher Claud Xiao.
When used as a ransom tool, KeyRaider is more difficult to disable than past iOS attacks: "Some [previous] attacks can be avoided by resetting the account password to regain control of iCloud. KeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered."
The malware has stolen over 225,000 Apple accounts and "thousands of certificates, private keys, and purchasing receipts".
"The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying," said Xiao, adding that the tweaks have been downloaded over 20,000 times, suggesting over 20,000 users are abusing the 225,000 stolen accounts.
The scam was first discovered in July by a university student member of WeipTech, an amateur technical group associated with a Chinese Apple fan website. Palo Alto said it had previously collaborated with the group to combat other Apple malware such as AppBuyer and WireLurker.
KeyRaider spreads through Cydia, which are software repositories used by jailbroken iOS devices to download apps.
"The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Xiao wrote.
"KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."
Palo Alto stated in the blog that the best way to avoid KeyRaider is to avoid jailbreaking an Apple device: "Never jailbreak your iPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict security checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk."