A recently discovered group of malware that infects jailbroken iPhones has gathered the login information for more than 225,000 Apple accounts, and is believed to be one of the largest breaches of Apple accounts ever.
The malware, dubbed KeyRaider by its discoverer, found its way to victims via websites that hosted repositories of Cydia software. Cydia is an app that allows users of jailbroken iOS devices to access software and apps locked phones can’t normally access. The malware then steals Apple account information by intercepting iTunes traffic from the device.
Palo Alto Networks (PAN) and WeipTech, which found the vulnerability, estimates that the batch of stolen logins have been downloaded more than 20,000 times.
An analysis of the stolen accounts found that more than half of the email addresses were from a service provided by Tencent, suggesting that most of the affected users were Chinese, although the addresses contained region domains from 17 other countries including the United States, Canada, Israel, South Korea, and Japan.
Victims of the malware have reported irregular purchase histories on their accounts and their phones being held for ransom. One victim found his iPhone locked, with the display instructing him to contact an account on QQ, a popular Chinese chat service, to unlock the phone.
“KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads,” reads a PAN blog post.
Those who download the stolen credentials from the command and control server of the malware can use it to download apps that had been requested by the stolen account without paying for it.
The vulnerability was uncovered by a student at Yangzhou University and a member of WeipTech, a hobbyist technical group comprised of users from Weiphone, an Apple fan site. WeipTech disclosed the breach on their Weibo—China’s version of Twitter—on August 25.