The main goal of hackers when dealing with Apple mobile devices is to try installing any kind of apps even on non-jailbroken ones.

Now hackers are exploiting a flaw affecting the Apple digital rights management technology (DRM) to reach their goal and install malicious apps on every mobile device.

Recently, a group of experts from the PaloAlto Networks security firm has spotted three malicious applications deployed on the official App Store. The crooks uploaded and updated the three different mobile apps between July 2015 and February 2016; they were developed to steal Apple IDs and passwords mainly from Chinese users.

The first app was available for the download since July 10, 2015, the second since November 7, 2015, and the third one since January 30, 2016.

Figure 1 – The third malicious app of the AceDeceiver family in the App Store

It is interesting to note that the three apps have the ability to be silently installed with software running on Windows machines.

These malicious iOS apps were used by crooks to connect the devices to a third party app store controlled by the attackers that were serving malicious code packaged in iOS apps or games.

Officially, the only ways to install a mobile application on an iOS device that hasn’t been jailbroken is to download it from the official Apple Store or to install it through the iTunes software from users’ computer. In this second scenario, the device verifies the legitimate origin of the app with the Apple’s FairPlay DRM technology.

At the USENIX conference in 2014, a group of experts from the Georgia Institute of Technology presented a method to install any app on an IOS device if it has been previously acquired with a different Apple ID, through the iTunes.

The attack scenario proposed by the expert is clear; it sees a hacker remotely installing mobile apps on an iOS device connected to an already compromised PC.

Now researchers at Palo Alto Networks confirmed that hackers in the wild are using this trick to serve a malicious app named AceDeceiver on non-jailbroken devices.

Unlike most strains of iOS malware, the AceDeceiver threat can infect non-jailbroken iPhones.

AceDeceiver is different from threats previously discovered in the wild; it leverages on a flaw in the DRM mechanism instead of a digital signature of malicious code and certificates.

“We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named ‘AceDeceiver.'” states a blog post published by Palo Alto Networks.

“What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.”

How does AceDeceiver work?

The attackers first uploaded their legitimate apps to the App Store, managing to pass the Apple’s review process by submitting them as wallpapers. Once Apple approves the apps and deployed on the official Apple store, they purchased the apps through the iTunes to capture the DRM FairPlay authorization code.

The crooks developed a client software, dubbed Aisi Helper Windows, that impersonates the iTunes client so they could store and send authorization codes for apps. The authorization codes could be used to trick an attached iOS device into believing apps were legitimately purchased from the official store. The authorization code will be used by hackers to install an unlimited number of copies many iPhones, iPods and iPads they liked.

The crooks distributed the client software in China by masquerading it as a helper program for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.

“To carry out the attack, the author created a Windows client called “爱思助手 (Aisi Helper) to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning.” continues the post.

The Aisi Helper was developed by a company located in Shenzhen, China, and the experts also noticed that the AceDeceiver use as a command and control server the same domain name with the product’s official website, www.i4[.]cn. Threat actors used third-level URLs in this domain for downloading and updating.

Aisi Helper was first released in January 2014 when it did not present a malicious behavior. In December 2014, the tool became very popular reaching over 15 million users and over 6.6 million monthly active users. The malicious functionality was added later, in 2015.

The experts noticed that when a user accesses the official website from a computer, it prompts him to install the Aisi Helper’s PC client. Mobile users that access the website from an Apple device will be redirected to the site’s mobile version (m.i4[.]cn), and an enterprise certificate signed a version of its iOS client will be recommended.

“During our investigation in February 2016, all Aisi Helper Windows or iOS clients downloaded from the official website contained the AceDeceiver Trojan.” States the analysis published by Paloalto.

When users connected their iOS devices to a computer running this software, it silently installed AceDeceiver by using the authorization code captured when the app was first deployed on the official store.

“By deploying authorized computer to the C2 server, and using a client software as an agent in the middle, the attacker can distribute that purchased iOS app to unlimited iOS devices.” reads the post.

Figure 2 – AceDeceiver exploits a flaw in the FairPlay DRM mechanism

The “FairPlay Man-In-The-Middle (MITM)” hacking technique is not new; it had been used by malware to install pirated apps on Apple mobile devices since 2013.Every time users want to install a pirated copy of a legitimate app; they need to grab an authorization code for a legitimate app, according to the FairPlay protocol.

The hacking technique still works even after Apple removes the AceDeceiver apps from the official Apple App store because attackers already have the authorization code they need to complete the installation.

Back to the AceDeceiver case, Apple removed the malicious app from the official Store after PaloAlto experts reported their discovery in late February 2016. Unfortunately, the attack is still viable because the above reason.

“As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps.” States the experts from PaloAlto Networks. “Even if an app has been removed from the App Store, attackers can still distribute their own copies to iOS users.” the team of experts explained at the USENIX conference.

Below the timeline of the AceDeceiver published by PaloAlto Networks

Jan 2013: FairPlay MITM attack has been used in the wild to spread pirated iOS apps.
Aug 2014: Researchers published paper to describe FairPlay MITM attack in the 23rd USENIX Security Symposium
Mar 26, 2015: AceDeceiver’s enterprise certificate signed iOS apps added password stealing functionality. These apps were embedded into Aisi Helper Windows clients.
Jul 10, 2015: AceDeceiver’s iOS app “爱思助手” was available in HK and NZ App Store
Jul 24, 2015: Aisi Helper Windows client updated to embed its App Store version iOS app
Nov 7, 2015: AceDeceiver’s iOS app “AS Wallpaper” was available in US App Store
Jan 30, 2016: AceDeceiver’s iOS app “i4picture” was available in US and UK App Store
Feb 21, 2016: Palo Alto Networks published report on ZergHelper
Feb 24, 2016: Palo Alto Networks reported the AceDeceiver issue to Apple
Feb 25, 2016: AceDeceiver apps were removed from App Store
Feb 26, 2016: Palo Alto Networks reported the FairPlay MITM attack issue in AceDeceiver to Apple

Security experts believe threat actors in the wild would leverage on the FairPlay MITM attack technique to serve the AceDeceiver malware on non-jailbroken iOS devices.

Ethical Hacking Training – Resources (InfoSec)

“Our analysis of AceDeceiver leads us to believe FairPlay MITM attack will become another popular attack vector for non-jailbroken iOS devices – and thus a threat to Apple device users worldwide. Palo Alto Networks has released IPS signatures (3891438915) and has updated URL filtering and Threat Prevention to protect customers from the AceDeceiver Trojan as well as the FairPlay MITM attack technique.” states the Palo Alto.

The experts at PaloAlto Networks explained that the FairPlay MITM attack is very dangerous for the following reasons:

  • It doesn’t rely on enterprise certificates.
  • Once the DRM mechanism is fixed, it’s likely the attack would still be effective against older versions of iOS systems.
  • The attackers need the presence of the malicious app in the App Store for a limited period.
  • The attack scenario doesn’t require victims to install the malicious apps manually.
  • The IOS device is silently infected by the software running on the compromised connected system. “The only indication is that the new malicious app does appear as an icon in the user’s home screen, so the user may notice a new app he or she won’t recall downloading.”

Security experts fear new FairPlay MITM attacks in the next future against victims worldwide.