The Hacker News Logo
Subscribe to Newsletter

How to Remove KeyRaider Malware that Hacked Over 225,000 iOS Devices

KeyRaider-Malware-iOS
Jailbreaking your device may have got you the best of apps but after reading this you will know what a high price you could have to pay for the jailbreak.

Read on…

A malware named ‘KeyRaider’ has supposedly stolen user credentials of approximately 225K iPhone users. It has been given this name as it raids victims’ username and passwords, private keys and certificates.

Figures say that KeyRaider malware has affected a large number of users in China and worldwide 17 more countries. Also, the origin of malware is suspected to be in China, as said in investigations conducted by Palo Alto Networks for reporting any suspicious tweaks on iPhones.

Users falling prey to KeyRaider may be the victims of:
  • Ransomware
  • Data Theft
  • DDoS Attacks

Malware is targeting jailbroken phones and when in action, it captures Apple ID of the users and make transactions using it.

The researchers say that it is spreading with the help of Cydia app repositories that are popular among the jailbreakers for eliminating the security of the device and installing third party apps.

Palo Alto says:
The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords, and device GUID by intercepting iTunes traffic on the device."
"KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads
Also, the Palo Alto Networks team has said that this is the biggest ever breach that has happened involving Apple accounts.

Although lot of protection is no more present on jailbroken devices, following measures can be implemented to mitigate the risk as well:

Steps to Remove KeyRaider Malware


Apple device users can use the following method to determine by themselves whether their iOS devices was infected:
  • Install OpenSSH server app via Cydia
  • Connect to your device through SSH protocol
  • Go to /Library/MobileSubstrate/DynamicLibraries/ location on your device, and grep for these strings to all files in the same directory:
    • wushidou
    • gotoip4
    • bamu
    • getHanzi
  • If any dylib file contains any one of these strings, delete it and remove the plist file with the same filename, and then reboot your iOS device.
The solution is produced by WeipTech, a Weiphone Tech Team; a technical group startup consisting of users from Weiphone, which is one of the largest Apple fans websites in China.

You can follow the research guide prepared by Palo Alto Networks stating the rogue malware’s capabilities and its mitigation.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.