Attackers exploit Apple DRM weakness to infect non-jailbroken iOS devices

If a malicious app is published on the App Store once and then is removed, attackers can continue to infect devices with it through PC malware

Attackers are exploiting a weakness in Apple's digital rights management technology to install malicious apps on supposedly protected, non-jailbroken iOS devices.

In late February, security researchers from Palo Alto Networks found three malicious applications on the official App Store. An analysis revealed the malicious apps were part of a scheme to steal Apple IDs and passwords from Chinese users under the guise of an alternative app store.

The more interesting aspect of the apps: In addition to being published on the official app store, they were also silently installed through software running on users' Windows PCs.

An iOS device that hasn't been jailbroken, and hasn't had its security restrictions removed, should only be able to run apps downloaded from the App Store or installed through the iTunes software from users' PCs.

When pushing an app through iTunes to an iOS device connected to a computer, the device performs a check to ensure that the app was indeed acquired from the App Store. This is part of Apple's FairPlay DRM technology.

However, in 2014, a team of researchers from Georgia Institute of Technology presented a method through which an iOS device could be tricked to allow the installation of an app through iTunes that was previously acquired by a different Apple ID.

"Attackers can remotely instruct an already compromised computer to install apps on a connected iOS device, completely bypassing DRM checks," the team of researchers warned at the time. "Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users."

According to Palo Alto Networks, this bypass technique still works and was used to install the newly found malicious apps, which the company has dubbed AceDeceiver, on non-jailbroken devices.

More specifically, the attackers first uploaded their apps to the App Store, managing to pass Apple's review process by presenting them as wallpapers. They then purchased those same apps through iTunes and captured the FairPlay authorization code.

The attackers then created a piece of software that simulates iTunes and distributed it in China as a helper program for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.

When users connected their devices to a computer with this software installed, it silently installed AceDeceiver on those devices by using the previously captured authorization code. The only indication of the attack was the app icon appearing on the device home screen after the installation was done.

This means that even if the AceDeceiver apps have been removed from the App Store, the attackers can continue to spread them using the PC software because they already have the authorization code they need.

In this case, the attackers tricked users into installing the iTune-like software themselves, but in future attacks, they could do it through malware that silently infects computers through exploits.

"Our analysis of AceDeceiver leads us to believe FairPlay MITM [man-in-the-middle] attack will become another popular attack vector for non-jailbroken iOS devices -- and thus a threat to Apple device users worldwide," the Palo Alto researchers said in a blog post Wednesday.

This is the second time in a month when researchers found rogue apps on the App Store, proving that bypassing Apple's app review process is not only possible, but fairly easy. In both cases, the malicious apps masqueraded as harmless applications and only enabled their malicious functionality when run on devices with IP addresses from China.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGeorgia Institute of TechnologyindeedPalo Alto NetworksTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place