KeyRaider: the largest number of Apple account leaks so far
From: KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia
Recently, WeipTech analyzed some suspicious iOS apps reported by users and found that there are more than valid Apple accounts and passwords stored on a server.
Through cooperation with WeipTech, We (Paloalto) identified 92 undiscovered malware samples. To find out the intention of the malware author, we analyzed the sample and named the malware family "KeyRaider ". As a result, we believe this is the biggest Apple account leakage ever caused by malware.
In China, KeyRaider locks the target on a jailbroken iOS device and transmits it through a third-party Cydia source. In addition, this malware may have affected users in 18 countries, including China, France, Russia, Japan, Britain, the United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.
KeyRaider uses the MobileSubstrate framework to hook system processes and intercept iTunes communication to steal the user name, password, and GUID of the Apple account .? It also steals the Apple push notification service certificate and private key and App Store purchase credential on iPhone and iPad devices, and disables the local and remote unlocking functions.
KeyRaider has successfully stolen more than valid Apple accounts, thousands of certificates, private keys, and purchase certificates. Malware uploads the stolen data to the C2 (command and control) server with the vulnerability, which exposes user information.
The purpose of this attack is to allow users to download any application of the official App Store for free by using two iOS jailbreak apps (apps installed through the Cydia source after jailbreak, you can purchase the service in the application without payment. A jailbreak application is a software package that allows users to perform operations that are not allowed on normal devices.
These two jailbreak applications hijack the app purchase request, download the account and purchase credential stolen on the C2 server, and then simulate the iTunes protocol to log on to the Apple Server, the project requested by the app or other users. These two jailbreak applications have been downloaded more than 20,000 times, which means that about 20,000 users are abusing the other 225,000 stolen certificates.
Some victims have reported unusual app purchase records and other blackmail activities in their Apple accounts.
Palo Alto Networks and WeipTech? Can I detect KeyRaider? Malware and services that identify stolen certificates. In the following content, we will provide details about malware and attacks.
The attack was first discovered by I _82, a student from Yangzhou University and a member of WeipTech. WeipTech is a non-professional technical group composed of user groups for WeiPhone (China's largest Apple fan site. Previously, WeipTech cooperated with us to disclose malware AppBuyer and WireLurker on iOS and OS X.
WeipTech? We started to investigate that some Apple accounts purchased and installed iOS apps without authorization. After investigating the jailbreak app installed by users, they found a jailbreak app to collect user information and upload it to an unknown website. They found that the website has SQL injection and can view all data records. Figure 1 is of the "top 100" Database
Figure 1 .? WeipTech found that SQL Injection exists on the C2 server (from WeipTech)
In the database, WeipTech? We found a total of 225,941 Fields marked as "aid? Records. About 20 thousand records include the plaintext user name, password, and GUIDs. The remaining records are encrypted.
Through Reverse malicious applications, WeipTech? A piece of code is found, in which the static key is "mischa07" AES encryption algorithm is used to encrypt the data. Using static keys, we can decrypt user names and passwords. After login verification, they are sure that the information in the record is a valid Apple account. Before the website administrator finds or disables the service, WeipTech investigators downloaded about half of the database records.
On July 6, August 25, WeipTech issued a vulnerability warning on Weibo, and submitted the vulnerability to WooYun (WooYun vulnerability reporting platform). The vulnerability was subsequently transferred to CNCERT/CC (national Internet emergency response center), a third-party partner.
When? Palo Alto Networks researchers are analyzing WeipTech? When reporting malware, we found that it did not contain malicious code to steal passwords and upload data to the C2 server. However, through WeipTech? For other information provided, we found other malicious jailbreak applications that steal user information and upload it to the same server.
We named this new iOS malware family? "KeyRaider "?, Because it steals passwords, private keys, and certificates.
As we know, KeyRaider only uses? The Weiphone 'cydia repository is spread on jailbreaking iOS devices. Unlike other Cydia sources, such as BigBoss and ModMyi. WeiPhone provides a private repository for registered users. Users can directly upload their jailbreak app and share it with others.
In 2015 a user named "mischa07" uploaded at least 15 KeyRaider applications to its private repository (http://apt.so/index.php? R = cydiaTa/index & user_id = 8676626), such as Figure 2. In addition, his name is also used as the encryption and decryption key and hard-coded in malware, such as Figure 3. We highly suspect this person is KeyRaider's? Developers.
Figure 2 .? Mischa07's personal Cydia Repository
Figure 3 .? "Mischa07" is hard-coded as the encryption key in malware
According to the web page of Weiphone, some? The uploaded jailbreak application has been downloaded for times, as shown in Figure 4. These apps and tools provide features such as game cheating, system tuning, and app advertisement filtering.
There are two special applications in the warehouse of mischa07.
● Iappstore? (Figure 5): allows users to download paid applications from the official Apple App Store for free
● Iappinbuy: allows users to buy paid items or services for free in apps downloaded from some official app stores.
Where is Mischa07? The Weiphone community promotes these two jailbreak applications, such as Figure 6, but some users do not believe these so-called magical features. However, according to Weiphone's? What is iappinbuy displayed on the website? There are still 20,199 downloads, such as Figure 4, and iappstore? 62 downloads (Statistics for the latest version only)
Figure 4 .? A malicious sample has been downloaded for more than 30,000 times.
Figure 5 .? Iappstore malware can directly install paid apps from the App Store
Figure 6 .? The author promotes its iappstore Application
Another Weiphone with the identity of "zhudao Babu" or "bamu? KeyRaider? Malware. Because Bamu's personal repository (http://apt.so/aptso) provides many useful applications, this makes it very popular in the community. After the attack was revealed, bamu has deleted all the malware he uploaded in the repository and disabled it. With the help of Weiphone, we checked all the applications Uploaded By Bamu. Among them, 77 included KeyRaider? Malware. And mischa07? Different Versions of malware are developed. bamu repacks existing apps (such as iFile, iCleanPro, and avfun) and adds malicious code to them.
When KeyRaider? When I upload the stolen user password to the C2 server ,? The http url contains a parameter named "flag" or "from" to track the source of the infection. In mischa07 code, the value of this parameter is usually the name of the app, such as 'lettv '. In bamu applications, it is "bamu ". According to the statistics of the leaked data, more than 67% of the stolen information comes with bamu.
Because bamu? It is just a distributor. The subsequent behavior analysis mainly focuses on the application samples sent to mischa07.
Stealing user data
KeyRaider collects three types of user data and uploads the data to the C2 server through HTTP requests. Two different C2 servers are found here.
During the analysis, these domain names are resolved to the IP address 220.127.116.11. On the C2 server? "Top100 "? Is there three tables in the database? "Aid", "cert" and "other ". On the server side, KeyRaider? Use four PHP scripts to access the database, aid. php, cert. php, other. php and data. by analyzing code and leaked data downloaded by WeipTech, php found that the aid table stores 225,941 records, including the user name, password, and device GUID of the Apple ID. The Cert table stores 5,841 certificates and private keys of infected devices, which are used by Apple to push message Notification Services, such as Figure 7. Finally, the other table stores the GUID of more than 3,000 devices and the app purchase credential sent to the app store server.
Figure 7 .? Discloses a record in the cert table.
We have sorted out the leaked Apple ID email addresses. More than half of users use QQ mail, which is the top 10 account email address Domain Names (6 of which are mainly used by Chinese users)
However, we also find some email address domain names that belong to other countries or regions, including
•tw: Taiwan•fr: France•ru: Russia•jp: Japan•uk: United Kingdom•ca: Canada•de: Germany•au: Australia•us: United States•cz: Czech Republic•il: Israel•it: Italy•nl: Netherlands•es: Spain•vn: Vietnam•pl: Poland•sg: Singapore•kr: South Korea
KeyRaider malicious code exists in? The Mach-O dynamic library serves as a plug-in for the MobileSubstrate framework. Through the MobileSubstrate API, malware can hook any API of system processes or other iOS apps
In the past, many iOS malware families also abused MobileSubstrate. For example, the Reddit user finds that SektionEins? The Unflod (aka SSLCreds or Unflod Baby Panda) analyzed )?, It intercepts SSL encrypted communication and steals the password of an Apple account. The AppBuler found last year also used the same technology to steal passwords and purchase apps in the app store. KeyRaider? The secondary technology was further utilized. KeyRaider? Mainly implements malicious behaviors.
● Theft of Apple accounts (usernames, passwords) and device guids ● theft of certificates and private keys used for the Apple push notification service ● blocking infected devices by using passwords and iCloud services to unlock Devices
Note: MobileSubstrate is a framework that allows third-party developers to apply runtime patches in system methods to expand some methods, similar to Application Enhancer on OS X. Therefore, to install Most plug-ins in the iOS jailbreak environment, you must first install MobileSubstrate.
Stealing Apple account data
Most KeyRaider? Sample hook itunesstored process SSLRead and SSLWrite functions (Figure 8). itunesstored? It is a system daemon and is responsible for communicating with the app store (using the iTunes protocol ).
Figure 8 .? KeyRaider hooks SSLRead and SSLWrite in itunesstored
When the App Store client requests an Apple account as a user, the login information is sent to the App Store server through an SSL encrypted session. In the replacement function of SSLwrite, KeyRaider? This kind of session will be searched, and the user name, password, and device GUID (Figure 9) of the Apple account will be searched through the specific pattern in the sent data ). next, in the SSLRead replacement function, these creden are encrypted using the static key "mischa07" through the AES encryption algorithm, and then sent to the KeyRaider? C2 server (Figure 10 ).
Figure 9 .? Searching for Apple account information in SSL data
Figure 10 .? Uploading stolen credentials to the C2 server
Except hook SSLRead and SSLWrite, KeyRaider? Call MGCopyAnswer ("UniqueDeviceID") to read the GUID of the device.
Stealing certificates and private keys
In some samples, KeyRaider? It also hooks the apsd daemon-responsible for the iOS system's Apple push notification service. It hook is defined in Security? SecItemCopyMatching of the framework? Function. This API is used to search for matching the given query? Keychain items.
When you search for a label with a value of "APSClientIdentity ?, KeyRaider? Will the original SecItemCopyMatching function be executed, and then SecIdentityCopyCertificate and SecIdentityCopyPrivateKey will be called to copy the certificate and private key from the results returned by the original function execution? (Figure 11). The information and GUID are sent together to the C2 server (Figure 12). In the iOS keychain, are marked with APSClientIdentity? Is used to push notifications. Through this information, attackers can forge push notifications on the system.
Figure 11 .? Copy push service's certificate and private key
Figure 12 .? Upload certificate and key
Lock a device
When KeyRaider? Hook SecItemCopyMatching: In addition to blocking the notification certificate, it also compares the currently queried label with the specific string "com. Apple. lockdown. identity. activation. If yes, KeyRaider? The value of the query result is set to 0. (Figure 13)
Before publishing the article, there were no public documents on the Internet about the query of com. apple. lockdown. identity. activation. We believe this query is used to unlock the device. Set the return value to 0, KeyRaider? It will prevent users from unlocking their devices, even if they enter the correct unlock code on their phone or remotely unlock the device through the iCloud service.
Among all the sample information we have found, this code is independent and is not called by other code. It is implemented and then exported as a function. However, we already have evidence that this function has already taken place for actual attacks.
Some KeyRaider? The sample downloads the purchase credential and Apple account from the C2 server. But this function is only available in? Iappstore and iappinbuy? These two applications are actually used. According to the user's description, iappstore? You can download any application from the app store for free. Let's take a look at how they are implemented.
This app hook SSLWrite? Two times, the first time used to steal the password. The second hook will try to determine whether the current HTTP request is "POST/WebObjects/MZBuy. woa/wa/buyProduct ". To determine whether the current session is purchased using the iTunes protocol. (Figure 14 ).
Figure 14 .? Hooking app purchase session
If the request is a purchase behavior, SSLWrite will be called, and the hooking code will try to match some keywords in the sent data (used to obtain the payment information of the current app), such as "salableAdamId ", "appExtVrsId", "vid", "price", "guid", "installedSoftwareRating" and "pricingParameters "?. If this app is charged, the fire () function will be called.
The Fire function calls the readAid () function. The readAid function reads local files located in/var/mobile/Documents/iappstore_aid.log. This file contains the user name, password, device GUID, related iTunes session token, cookie, phone number, carrier, operating system information, and iTunes CDN server number of the user account. Parse the data and create an account object.
If the file does not exist, it will call? ReadAidUrl (), readAidUrl downloads new account information from the KeyRaider C2 server, and then creates an account object. (Figure 15). Figure 16? Shows an account downloaded from the server.
Figure 15 .? Downloads apple account from C2 server
Figure 16 .? Stolen apple account was downloaded from C2 server
After an account object is created, fire () will generate a string in plist format that contains account information and then call? Login () and sendBuy ().
The Login () function creates an HTTP connection to the following URL. The URL carries a plist string and a value similar to the Appstore client user proxy.
This causes a Remote Apple account to log on to the current iTunes SESSION (Figure 17)
Figure 17 .? Emulating login protocol
After a Login request is initiated, login () parses the returned results, obtains cookies, tokens, and other information, and then saves the information and account password to the local iappstore_aid.log file, for later purchase. If the login fails due to a wrong password, it will call readAidUrl () again ()?, Obtain a different Apple account from C2 server.
The sendBuy () function works similar to the login () function, but requests another URL for app purchase verification.
Through this process, iappstore? The app can use the stolen account to successfully purchase any app. In addition to these operations, the two independent functions verifySF () and verifySF2 ()? , KeyRaider? You will also try to get questions and answers from your Apple account and password. This function has not been completed in our analysis sample.
The iappinpay function is similar to the iappstore function. The only difference is that the purchase interface has changed. (Figure 18 ). The C2 Server database also stores some of the previously purchased products in the app (? In-App-Purchase) creden, the author seems to plan to reuse these creden。, such as sending these creden。 to Apple server to prove that they have purchased this service before.
In addition to stealing an Apple account to buy an app, KeyRaider? Provides built-in locking functions for extortion.
Some previous iPhone ransomware tools remotely control iOS devices based on the iCloud service. This type of attacks can be solved by resetting the account password. For KeyRaider ?, It disables all unlock operations locally and enters the correct unlock code or password in time. In addition, it can also use stolen certificates and private keys to send notification messages for ransom, and push notification messages do not need to go through the Apple push server. Therefore, the previously used solution is no longer valid.
Here is the ransomware reported by a victim.
Figure 19 .? Ransom message on locked iPhone
Other potential risks
The following are some things that attackers can do with your leaked username, password, and other information.
Application Promotion: Install the specified app on the victim's mobile phone to improve the App Store rankings
Cash Back: Use an account to buy paid applications
Spam: Use iMessage to send spam Information
Extortion: Using the account password, stealing privacy information for extortion, etc.
Protection and Prevention
Note: KeyRaider? Only iOS devices that are jailbroken are affected. devices that are not jailbroken are not affected. Has WeipTech launched the query service? You can enter your Apple account email to see if it has been leaked. Palo Alto Networks reported the stolen account information to Apple in August 26. It should also be noted that, because attackers have discovered and fixed the vulnerability of their receiving data servers, WeipTech? Only about half of the stolen data can be restored. So, never trusted Cydia? Users who have installed such jailbreaking applications on the source may be affected.
You can determine whether your iOS device is affected by the following methods:
1. Install openssh2. connect to device3.? /Library/MobileSubstrate/DynamicLibraries/directory, which is the string below grep for all files under the directory? Wushidou? Gotoip4? Bamu? GetHanzi
If any dylib? The file contains any string, delete these files and plist files with the same name, and then restart
In addition, we recommend that you modify the password of your Apple account and enable the two-factor authentication function after Removing malware. Https://support.apple.com/en-us/HT204152 Finally, if you want to avoid KeyRaider and similar malware, try to avoid jailbreak. Cydia? The source does not perform strict security checks on the uploaded application, and there is a risk of installing the application through it.
9ae5549fdd90142985c3ae7a7e983d4fcb2b797f CertPlugin.dylibbb56acf8b48900f62eb4e4380dcf7f5acfbdf80d MPPlugin.dylib5c7c83ab04858890d74d96cd1f353e24dec3ba66 iappinbuy.dylib717373f57ff4398316cce593af11bd45c55c9b91 iappstore.dylib8886d72b087017b0cdca2f18b0005b6cb302e83d 9catbbs.GamePlugin_6.1-9.deb4a154eabd5a5bd6ad0203eea6ed68b31e25811d7 9catbbs.MPPlugin_1.3.debe0576cd9831f1c6495408471fcacb1b54597ac24 9catbbs.iappinbuy_1.0.debaf5d7ffe0d1561f77e979c189f22e11a33c7a407 9catbbs.iappstore_4.0.deba05b9af5f4c40129575cce321cd4b0435f89fba8 9catbbs.ibackground_3.2.deb1cba9fe852b05c4843922c123c06117191958e1d repo.sunbelife.batterylife_1.4.1.deb
We are particularly grateful to I _82 from WeipTech for sharing data, reports and other useful information with us. Thanks to CDSQ from WeipTech for providing us with samples and for sharing information between Xsser and FengGou from WooYun. Thanks to Sereyvathana Ty, Zhaoyan Xu, and Rongbo Shao of Palo Alto Networks for their analysis of malware and to Ryan Olson of Palo Alto Networks for reviewing this report.