Things seem to be getting muddy for both the jail-broken and non-jail-broken iOS devices as a new trojan has entered the house. AceDeceiver, the new iOS trojan is leveraging a design flaw in Apple’s FairPlay DRM system to infect the devices and has been acknowledged by Palo Alto Networks.
This design flaw first came to notice in February 2013 and is known as FairPlay Man-in-the-Middle. It was exploited for spreading pirated apps and later presented in depth at the 23rd USENIX Security Symposium. For the first time, FairPlay MitM flaw is used to spread malware by the AceDeceiver trojan.
Fairplay MitM attack is pretty simple where the attacker plays an intermediary role between the App Store and a user’s computer or iOS device. This intermediary role allows the attacker to request the purchase authorization code and pass it to whatever device he wants. A better understanding can be gained from the picture below.
FairPlay MitMs doesn’t cause too much damage until attackers aided it with Windows software package called 爱思助手 (Aisi Helper) and made it more appealing by including tools for jailbreaking devices, creating backups, and performing system cleaning operations. It also comes with a feature that allows users to install apps on their devices, be it the official app store or third-party stores.
Aisi Helper tricks the users into thinking of having bought and paid for authentic apps from Apple’s App Store when in fact the hacker recycles authorization codes while also abusing Aisi Helper to send malicious apps to the user’s iOS device.
The attackers were also able to trick Apple in approving their malicious app install onto user’s devices by a bypass technique also employed by the ZergHelper family, AceDeceiver operators managed to upload three such apps on Apple’s store.
After getting listed on the official store, the hackers downloaded the apps on their devices, got the authorization code, and used them to forcibly push malicious apps, infected with AceDeceiver, to any user that connected an iOS device to a PC running Aisi Helper.
Once Apple discovered the malicious apps, all three of them were pulled from the store.
As of now, the threat seems to be targeting and prevalent in China only. This trojan has capabilities to steal Apple ID credentials, and will also act as a third-party store for installing other apps on infected devices for Chinese users.
“AceDeceiver is only targeting iOS devices in mainland China, but attackers could easily expand this attack to other regions around the world,” Palo Alto Networks researchers explained. “And as we’ve already noted, the attack technique they’re exploiting will not be easy for Apple to fix.”
Name of the apps infected by AceDeceiver: aisi.aisiring, aswallpaper.mito, and i4.picture. They have been removed from Apple as of now.