The best advice for securing your iPhone was once simply "don't jailbreak it." But a new form of malware, dubbed AceDeceiver by its finders, exploits an iOS vulnerability that had only been hinted at in research papers.
In a blog post yesterday (Mar. 17), Palo Alto Networks said the malware arrives as part of free Windows software meant to optimize iOS devices. After installation, the software secretly installs rogue apps on any connected iPhone or iPad. When opened outside China, those app are just wallpaper. But inside China, they open up a rogue app store than offers pirated versions of popular games and asks users to provide their Apple IDs and passwords.
"First it was XcodeGhost, then ZergHelper and now AceDeceiver," Ryan Olson of Palo Alto Networks told the Threatpost security-news site, referring to two other pieces of iOS malware found in the past six months. "What we are seeing is a slow chipping away at Apple's App Store security."
AceDeceiver's creators first created three apps and sprinkled them into the Apple App Store in various countries. These were also geolocated -- in China, they opened rogue app portals, but outside, they were merely wallpapers. The developers rightly assumed Apple's code reviewers would not be in China, and all three were approved and given AppStore authorization certificates.
Palo Alto Networks noticed the geolocation and alerted Apple, which yanked the apps from the App Store. But the developers had what they needed -- the App Store certificates. They bundled the apps into Windows software called Aisi ("Ace" in Chinese) Helper and distributed it as a free utility to optimize iOS devices attached by a USB cable to a PC.
Once users downloaded the utility onto their PCs, the attackers could use it to side-load their wallpaper/app store apps onto any connected iOS device. The iOS devices accepted the apps because the connected PC would already have been certified as trusted by Apple's FairPlay copy-protection mechanism, meant to limit the spread of purchased iTunes songs. The apps would also have Apple's own App Store authorization certificates.
"The infection of iOS devices is completed in the background without the user's awareness," wrote Palo Alto Networks researcher Claud Xiao in the company blog post. "The only indication is that the new malicious app does appear as an icon in the user's home screen."
A user might mistake the fake storefront for a pre-loaded, Apple-approved app that he or she can trust with a username and password. The masterminds behind AceDeceiver, who also run the website i4.cn, promise not to abuse the Apple login credentials, but add a terms-of-use clause that refuses liability for any wrongdoing that happens with those credentials.
Apple's FairPlay file-protection code is typically used to prove that an application was legally purchased, AceDeceiver shows it can be a powerful tool to fool the company's own safeguards. While we still advise security-conscious smartphone owners to not jailbreak their devices and only download apps from official app stores, AceDeceiver forces us to a new amendment: Do not trust apps you don't remember downloading.