Researchers from Palo Alto networks have discovered an iOS
malware sample that affects iPhone devices that are jailbroken. The malware is
named ‘AppBuyer’.
Photo: blvdone / Shutterstock
The AppBuyer malware is created and set up in a way that it
will steal the user’s Apple ID login and password. Once these credentials have
been stolen, the malware will purchase specific applications from the App Store
and those behind the malware are utilizing the iOS environment to make some
serious money.
The hackers first infect the device, and when it has been
hacked, the device uploads Apple ID credentials. Once the hackers have access
to the credentials, they are able to buy specific applications that may
generate attractive revenue for the hackers.
The members of the WeiPhone Technical Group, who first mentioned AppBuyer
in May, remotely assisted a user in finding out why some apps were periodically
installed to his jailbroken device, and later found two strange files on the
phone.
They discovered that the suspicious files would execute,
download and delete other executable files from the web. They also tried to
identify the hacker through analyzing the C&C server’s domain name with the
samples. They also released samples for downloading.
WeiPhone Technical Group didn’t give a reason for how the
samples were installing other apps into infected devices. On the other hand,
the C&C servers are up and running, which may impact a greater number of
users.
Palo Alto Networks analyzed the samples to disclose its
working and provide suggests and solutions to defeat it. The researchers,
however, still don’t know how the malware was installed on jailbroken Apple
devices.
There are some possibilities that include via a malicious
Cyber Substrate tweak that is hosted in third-party Cydia sources, through a PC
jailbreaking utility, through other PC malware, or some other unknown way
possibly.
After a device has been infected, the malware will first
download executable files to generate a unique UDID. Then it will download a
Cydia Substrate tweak for intercepting all HTTPS/HTTP sessions for stealing the
Apple ID and password of the user and uploading to the attacker’s server.
Lastly, it will download a fake gzip utility that will login
to the App Store through the user’s Apple ID credentials, and buy additional
apps. Palo Alto Networks researchers, therefore, identify AppBuyer as a Trojan.
Defense
Palo Alto Networks researchers highly
recommend iOS users to stay away from jailbreaking. They mention
AdThief, another iOS malware discovered this year, infecting more than 75,000
devices. Another example is Unflod, a malicious Cydia Substrate tweak that
steals the Apple ID credentials of the victim in a similar way.
For users who have already jailbroken their iOS devices
should look for one or a combination of the following files in their device
file system:
• /System/Library/LaunchDaemons/com.archive.plist
• /bin/updatesrv
• /tmp/updatesrv.log
• /etc/uuid
• /Library/MobileSubstrate/DynamicLibraries/aid.dylib
• /usr/bin/gzip
• /bin/updatesrv
• /tmp/updatesrv.log
• /etc/uuid
• /Library/MobileSubstrate/DynamicLibraries/aid.dylib
• /usr/bin/gzip
If there is any such file, the device may be infected by
AppBuyer malware. However, just removing these files may not solve the issue as
there is no word on how the malware actually got into the device. The Palo Alto
Networks Platform says it can protect the malware in several ways.
They have already released signature URLs to prevent the
download of the mentioned malicious files, and soon they will be releasing IPS
and DNS signatures. The new iOS malware can be essentially deleted by blocking
AppBuyer’s executable files from downloading.
netizens left a footprint.