Palo Alto Networks researchers have revealed a new family of iOS malware that successfully infected non-jailbroken smartphones, named “AceDeceiver”.
AceDeceiver manages to install itself without abusing enterprise certificates as some iOS malware has done over the past two years. AceDeceiver installs itself without any enterprise certificate, exploiting design flaws in Apple’s DRM mechanism. Despite the fact that Apple has removed AceDeceiver from the App Store, it may still spread thanks to a novel attack vector, the research shows.
AceDeceiver is a new example of how malware can infect non-jailbroken iOS devices.
“Deceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism – namely FairPlay – to install malicious apps on iOS devices regardless of whether they are jailbroken”, researchers say. “This technique is called FairPlay Man-In-The-Middle (MITM) and has been used since 2013 to spread pirated iOS apps, but this is the first time we’ve seen it used to spread malware.”
AceDeceiver only affects users in mainland China.
Palo Alto Networks researchers have found that the new attack technique is more dangerous than previous ones for the following reasons:
- It doesn’t require an enterprise certificate, hence this kind of malware is not under MDM solutions’ control, and its execution doesn’t need user confirmation of trusting anymore.
- It hasn’t been patched and even when it is, it’s likely the attack would still work on older versions of iOS systems.
- Even though these apps have been removed from the App Store, that doesn’t affect the attack. Attackers do not need the malicious apps to be always available in the App Store for them to spread – they only require the apps to be there once, and require the user to install the client to his or her PC. However, ZergHelper and AceDeceiver have shown how easy it can be to bypass Apple’s code review process and get malicious apps into the App Store.
- The attack doesn’t require victims to manually install the malicious apps; instead, the app installs automatically. That’s why they can be only available in a few regions of the App Store without affecting the success of the attack. This also makes them much harder to be discovered by Apple or by security firms researching iOS vulnerabilities.
- While the attack requires a user’s PC to be infected by malware first, after that, the infection of iOS devices is completed in the background without the user’s awareness. The only indication is that the new malicious app does appear as an icon in the user’s home screen, so the user may notice a new app he or she won’t recall downloading.