Old design flaw becomes new malware vector for "AceDeceiver".

There's a new form of iOS malware making the rounds that uses mechanisms previously employed to pirate apps as a way to infect iPhones and iPads. Dubbed "AceDeceiver", it simulates iTunes in order to get a trojan app onto your device, at which point it tries to engage in other nefarious behavior.

What is "AceDeceiver"?

From Palo Alto Networks:

AceDeceiver is the first iOS malware we've seen that abuses certain design flaws in Apple's DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called "FairPlay Man-In-The-Middle (MITM)" and has been used since 2013 to spread pirated iOS apps, but this is the first time we've seen it used to spread malware. (The FairPlay MITM attack technique was also presented at the USENIX Security Symposium in 2014; however, attacks using this technique are still occurring successfully.)

We've seen cracked apps used to infect desktop computers for years, in part because people will go to extraordinary lengths, including deliberately circumventing their own security, when they think they're getting something for nothing.

What's new and novel here is how this attack gets malicious apps onto iPhones and iPads.

How is that happening?

Basically, by creating a PC app that pretends to be iTunes, and then transfers the malicious apps over when you attach your iPhone or iPad over USB to Lightning cable.

Again, Palo Alto Networks:

To carry out the attack, the author created a Windows client called "爱思助手 (Aisi Helper)" to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning. But what it's also doing is surreptitiously installing the malicious apps on any iOS device that is connected to the PC on which Aisi Helper is installed. (Of note, only the most recent app is installed on the iOS device(s) at the time of infection, not all three at the same time.) These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver's C2 server after being encrypted. We also identified some earlier versions of AceDeceiver that had enterprise certificates dated March 2015.

So only people in China are at risk?

From this one specific implementation, yes. Other implementations, though, could target other regions.

Am I at risk?

Most people aren't at risk, at least not right now. Though a lot depends on individual behavior. Here's what's important to remember:

  • Pirate app stores and "clients" used to enable them are giant neon targets for exploitation. Stay far, far away.
  • This attack begins on the PC. Don't download software you don't absolutely trust.
  • Malicious apps spread from the PC to iOS over the Lightning to USB cable. Don't make that connection and they can't spread.
  • Don't ever — ever — give a third-party app your Apple ID. EVER.

So what makes this different than previous iOS malware?

Previous instances of malware on iOS have either depended on distribution through the App Store, or abusing enterprise profiles.

When distributed through the App Store, once Apple removed the offending app it could no longer be installed. With enterprise profiles, the enterprise certificate could be revoked, preventing the app from launching in the future.

In the case of AceDeceiver, the iOS apps are already signed by Apple (by way of the App Store approval process) and distribution is being performed through infected PCs. So, simply removing them from the App Store — which Apple has already done in this case — doesn't also remove them from already infected PCs and iOS devices.

How Apple combats these types of attacks in the future will be interesting to see. Any system with humans involved will be vulnerable to social engineering attacks — including the promise of "free" apps and features in exchange for downloading and/or sharing logins.

It's up to Apple to patch the vulnerabilities. It's up to us to be ever vigilant.

Is this where you bring up FBI vs. Apple?

Absolutely. This is exactly the reason why mandated backdoors are a disastrously bad idea. Criminals are already working overtime to find accidental vulnerabilities they can exploit to do us harm. Giving them deliberate ones is nothing short of recklessly irresponsible.

From Jonathan Zdziarski:

This particular design flaw wouldn't allow something like FBiOS to run, but it does demonstrate that software control systems have weaknesses, and cryptographic leashes like this can be broken in ways that are extremely difficult to fix with a large customer base and an established distribution platform. Should a similar leash be found that would affect something like FBiOS, it would be catastrophic to Apple, and potentially leave hundreds of millions of devices exposed.

Everyone should be working together to harden our systems, not to weaken them and leave we, the people, vulnerable. Because it's the attackers who'll be the first ones in and the last ones out.

With all of our data.