New ‘AceDeceiver’ iOS trojan found in China can bypass Apple’s DRM

Stock, non-jailbroken iOS devices appear to be vulnerable to a new security threat; a trojan known as AceDeceiver, which can be installed on an iOS device without the user’s knowledge and without the help of an enterprise certificate. Once installed, it will spread malware and unwanted software to the user’s device.

AceDeceiver works by taking advantage of the FairPlay digital rights management (DRM) system that Apple has in place, through what’s called a “FairPlay Main-in-the-Middle,” as Palo Alto Networks calls it. In the past, this same method has been used to distribute pirated iOS apps by using fake iTunes software, as well as altered authorization codes. That same technique is now being used to spread the trojan.
“Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.
 They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.”
It’s been discovered that from July 2015 to February 2016, at least three different AceDeceiver apps were uploaded to the official iOS App Store. They were apparently posing as wallpaper apps, and it gave those behind the apps fake authorization codes to use in the attack. On top of that, a Windows-based iPhone management app called “Aisi Helper” (which claimed to offer system backup services), has been used to install malicious iOS apps to iOS devices that are connected directly to the PC. It did so by offering access to a third-party app store, which offered free apps. That third-party app store could only be accessed by inputting the user’s Apple ID and password, to which it immediately became available to the attackers.

Apple officially removed the AceDeceiver apps in February, however the infection is still present on devices where it was installed because the authorization codes are still in the hands of the attackers. And while a fix may come in a patch down the road, it’s possible that older devices, even after a patch is released, could still suffer from the trojan.

How to protect yourself

If you use a Windows machine, avoid downloading sketchy software. If you downloaded Aisi Helper, remove it immediately. Those with Macs will be unable to run the Aisi Helper tool, but there’s no telling whether or not this could change in the future.

If prompted to enter your Apple ID for any reason, ensure that you’re entering it into a legitimate Apple app only, and never for a third-party app. Due to App Store restrictions, a third-party app should never ask for access to your Apple ID, so any third-party app asking for it should throw up red flags for you immediately.

Other steps to take, as recommended by Palo Alto Networks, include:
  • Check to make sure no strange enterprise certificates have been installed on your device
  • Check to make sure no strange provisioning profiles have been installed on your device
  • Enable two-factor authentication for your Apple ID
  • Change your Apple ID password as soon as possible



blog comments powered by Disqus
Octofinder Blog Catalog