The largest known Apple account theft occurred this summer when over 225,000 Apple accounts were confiscated by malware software nicknamed, KeyRaider. Cydia, a software distribution and installation tool for jailbroken iOS operating systems distributed the malware.
The purpose of the attack was to collect Apple Store applications by logging into the stolen accounts followed by downloading the victim’s already purchased apps and sending the software to the attacker’s server. The applications would then be distributed to privacy depositories where other users could download the applications without paying for them. Around 20,000 users are estimated to be abusing the 225,000 stolen accounts.
According to an article detailing how KeyRaider was detected and used to steal victims’ personal information posted by Claud Xiao at Palo Alto Networks, jailbreak tweaks are software packages that allow users to perform actions that are not originally possible on iOS.
“These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users,” Xiao said.
Cydia creator, Jay Freeman, explained that jailbreaking an iOS device could provide users the ability to change software outside of applications, such as changing the layout of the lock screen and manipulating animations or sounds when opening an application.
“On a jailbroken phone, we provide the tools to allow you to modify any of the software on the entire device,” Freeman said. “The tools that are provided for that are mostly written by me — something called substrate, which is a framework that developers can utilize to create modifications to software written by other people without the source code for that software.”
Freeman said Cydia is a place where users can install individual changes to their iOS device like a features store.
“If you can install individual new features like the ability to delete entire mail conversations — that is something that apple added maybe in the new iOS,” Freeman said. “If you can add an individual change, that is what we usually do in Cydia.”
According to Freeman, the only software that can be installed on iOS devices is a restricted class of applications, but on jailbroken devices users can install software that can affect the entire phone.
“Now suddenly you have a lot more responsibility to not install stuff that’s dumb,” Freeman said. “And it can be difficult to not install stuff that’s dumb. A lot of people don’t quite realize just how careful you might have to be.”
Freeman said Cydia provides a platform space where third-party companies such as Bigboss can provide software through Cydia. Users have access to any of the third-party provided software, which may also contain malware.
“There are thousands of repositories online which can be very tempting to people because they contain virtually free software. So people will download these repositories in order to get apps from the app store for free,” Freeman said. “The software you get from privacy repositories sometimes have malware in it and if you install the software, it will install something extra with that software.”
Freeman said extra software would then attempt to monitor Apple account logins and take Apple ID passwords to send them to a server used to accumulate pirated software.
“They were logging into your Apple account into the app store to download the apps you bought. If you have over 200,000 Apple accounts, you have access to a lot of the app store,” Freeman said. “As the piracy repository, you can download all that software on your end and then ship it all over the Internet to all the other people who want to pirate stuff.”
Cydia Community Manager Britta Gustafson said most of the “nasty malware” in the iOS ecosystem has come from essentially pirated sources and encourages people to be extremely careful when they stray from community-determined legitimate software.
“That is something we recommend to people. The default repositories have a type of quality review with a community around them, where it is much easier to distribute malware through the piracy stuff that is not as well moderated. It’s a shady zone,” Gustafson said.