Researchers at Palo Alto Networks recently discovered a new type of iOS malware that infects non-jailbroken devices named “AceDeceiver”. The “AceDeceiver” trojan app was first found inside a Windows helper client, and then live in the Apple App Store. It has since been removed from the App Store. The trojan app provides access to a third party app store and leverages security flaws in Apple’s DRM technology to install itself onto non-jailbroken devices without any warnings to the user, as long as the device is connected to an infected PC. The security flaw allows apps that were on the Apple App Store – now, or previously – to be installed on any other device. This includes malicious apps previously removed by Apple (“Dead apps”). Even more disturbing, the “AceDeceiver” trojan acts as a phishing attack, asking the user for his or her Apple ID and password. These credentials are collected, then encrypted and sent to the attackers’ servers in China.
Unless two-factor authentication is being used, these credentials provide an attacker access to personal and corporate documents, photos, contacts, address book, location and more as well as access to iCloud backups. Further, the Apple ID credentials can also be used to unlock not only iOS devices, but in some cases, also recover passwords for OS X laptops and desktops. This should serve as a reminder that security best practices dictate that two factor authentication be used whenever possible so reminding your employees to enable and use it is advised.
The spread of “AceDeceiver” is mostly limited to mainland China, but we have seen a few enterprise organizations in North America and Europe that have one or more of the infected apps across multiple devices. Multiple versions of the “AceDeceiver” trojan app in our Global App Collection shows that it was available in the App Store for over two months (July 20, 2015 to September 29, 2015).
How does the infection work?
The iOS API used by iTunes to sync apps via USB / WiFi is used to install malicious apps on the device. The DRM flaw allows the attacker to use the malicious software on the PC to relay the device authorization to an attacker-controlled iTunes instance which allows the device to run the app without the need to re-purchase or re-download the app from the App Store.
The malicious software can install (sync) apps to the device if the following requirements are satisfied:
- The malicious software is installed on a PC (OS-Independent, in theory)
- There is an iOS device connected to that machine
- The user confirms the “trust this computer?” alert once
Which types of apps can be installed?
- Apps that were available in the AppStore at some point (works with apps that are not available anymore as well)
- Enterprise signed apps
- Developer ID self-signed apps
What is the risk and what is Apple doing about this?
The biggest security issue is created by apps that are or were available on the Apple App Store. Via AceDeceiver, apps can be installed without purchase using the user’s AppleID, even after the app has been removed from the App Store. Apple would normally revoke abused enterprise distribution certificates which would make all apps unusable that were signed with those certificates. However, this approach won’t work for the App Store certificate because this would affect all App Store apps.
The only way for Apple to disable the known malicious apps would be to remotely remove them from the infected mobile devices. There have been speculations about a “remote kill switch” for specific apps (as a last line of defense) since the App Store was first announced the capability but, to date, no known usage of this mechanism has appeared in the wild.
Apple’s reaction has been to remove the infected apps from the App Store and to revoke the abused Enterprise Distribution certificates. Unfortunately, those steps are not enough to prevent further infections and whether Apple will take further actions remains unknown.
What can enterprises do to keep from being infected?
The security flaws and techniques used by “AceDeceiver” further validate the risks around “Dead apps” – apps that remain on devices and contain outdated code, including malware and vulnerabilities that have been addressed in later versions of the app. Appthority has been reporting on the risks of Dead apps for over a year, finding again recently in our Q1 2016 Enterprise Mobile Threat Report that it is still a significant issue for enterprises with over 1 in 4 devices (26.95%) having at least one dead app installed. Malicious apps that remain on a user’s mobile device even after being removed from iTunes App Store bring significant risks to users and enterprises. While Apple has yet to offer sufficient protection from this risk, subscribers to Appthority’s mobile app risk management solution can access a workflow via the Appthority portal to identify and remediate “AceDeceiver” infected apps as well as other “Dead apps” in their enterprise environments. We also recommend identifying and removing unapproved and non-corporate signed “Sideloaded” apps.