How KeyRaider Malware Hacked 225K Apple AccountsRyan Olson of Palo Alto Networks Analyzes Breach Impact
The bad news is that the new KeyRaider malware has compromised more than 225,000 Apple accounts. The good news, according to cybersecurity expert Ryan Olson of Palo Alto Networks, is that only "jailbroken" ioS devices are at risk.
Researchers at Palo Alto networks named the KeyRaider after they determined last week that it had been used to compromise credentials linked to more than 225,000 Apple devices in 18 nations, including China, Russia, the United States and the United Kingdom. KeyRaider was discovered and brought to Palo Alto's attention by members of the amateur technical group WeipTech. Palo Alto Networks believes this is the largest known Apple account theft caused by malware.
Jailbreaking removes Apple's protections that limit what apps can be installed on the iOS devices.
"Generally, Apple keeps their devices really well locked down, and one of the reasons for that is to make sure that they're more secure," Olson says during this interview with Information Security Media Group. "The only programs that can run on a locked-down iOS device are those that have been blessed by Apple. People who want to run other things on their phones tend to jailbreak them. So, in this case, people who are getting infected with KeyRaider have jailbroken their phones and they were going and downloading what was basically pirated software."
Pirated applications are posted in a number of repositories, Olson says, so they are easy to access. They are not vetted by Apple or other mobile app providers for security.
"In this case, certain versions of fake anti-virus programs, cleanup applications and a whole bunch of others had been posted on these repositories that included the KeyRaider Trojan inside of them," Olson explains
When users downloaded these infected apps to their jailbroken iOS devices, KeyRaider infected their operating systems and stole credentials associated with their Apple accounts, including passwords and, in some cases, keys and certificates used by Apple to authenticate devices and accounts, he says.
So far, it appears that hackers are using the stolen credentials to make fraudulent purchases in Apple's App Store. Evidence suggests about 20,000 fraudsters are abusing the stolen credentials, Palo Alto Networks' research shows.
During this interview, Olson also discusses:
- How infected Apple users can remove KeyRaider from their devices;
- Why KeyRaider poses new bring-your-own-device concerns for the use of jailbroken devices in the workplace;
- Why KeyRaider is likely to raise some concerns among all iOS users about Apple's security, even though only jailbroken devices are at risk.
Olson is intelligence director at Unit 42, the intelligence team at Palo Alto Networks. Previously, Olson served as senior manager in Verisign's iDefense Threat Intelligence service. His area of expertise is detecting and identifying actors and groups conducting cybercrime and cyber-espionage operations. Olson is a contributing author of the book Cyber Fraud: Tactics, Techniques and Procedure, and is primary author of Cyber Security Essentials.