September 17, 2015

Following the discovery of MAC firmware worm Thunderstrike 2, the cybersecurity experts at Palo Alto Networks along with WeipTech, have released reports of a new iOS malware, KeyRaider. Being responsible for the largest ever account theft caused by a malware, KeyRaider has successfully stolen credentials for more than 225,000 accounts of Apple customers. The Apple devices targeted by KeyRaider were primarily jailbroken, i.e. they permitted the download of unauthorized applications, extensions and themes from sources other than the Apple App Store.

How Does KeyRaider Work?

When a user jailbreaks an Apple device, the malware prompts him to install a third party app from a Cydia repository. Once the app is downloaded, KeyRaider attempts to steal important account credentials and Universally Unique Identifier (UUID) number. It allegedly intercepts random data from iTunes accounts of users who have installed malware-ridden apps on their jailbroken devices.

In addition, the malware even goes a step further to access Apple’s service certificates, disable remote unlock feature and share App store information. This allows other users to use the stolen data in order to purchase premium apps or themes from the Apple Store.

How To Detect And Remove KeyRaider?

The most viable way to keep your Apple device protected against KeyRaider is to keep it updated with the latest software applications. You should also not jailbreak your phone as its removes Apple’s protections and make your device vulnerable against security breaches. However, if you have already jailbroken your phone, here are some of the steps that you should take to protect yourself against KeyRaider:

  • Search ‘Filza File Manager’ on Cydia and install it on your device.
  • Open the app and go to /Library/MobileSubstrate/DynamicLibraries/.
  • Select the first file that has a ‘.dylib’ extension.
  • After opening the file, type in the following keywords into the search bar – wushidou, gotoip4, bamu, getHanzi.
  • If you are able to locate any of these keywords, your device is infected with malware. Make sure you remove the file along with all the ‘.plist’ files in the same name.
  • You should follow the same steps for each ‘.dylib’ file that you find in the directory. Once done, reboot your iOS device.

After you have successfully removed the malware, it is suggested that you change your Apple account password and enable two-factor authentication to keep your device safe.