Dubbed AceDeceiver, this malware is able to install itself without an enterprise certificate, unlike previous iOS malware that abused enterprise certificates in order to infect devices. This is also the first iOS malware that exploits design flaws in Apple’s DRM protection mechanism, FairPlay, which means that it can infect devices that aren’t jailbroken.
How AceDeceiver works
The malware initiates itself from a Windows PC with iTunes running on it. Apple allows you to purchase apps from the iTunes client that later get installed on your iOS device. During that process, your device requests an authorization code to prove these apps were actually purchased. This is the FairPlay DRM protection mechanism AceDeceiver exploits.
The technique is known as FairPlay Man-In-The-Middle (MITM), which consists of the attacker purchasing an app from the App Store and intercepting the authorization code.
The attacker uses specifically developed software on the PC side that simulates the iTunes client to trick your iOS device into believing an app was purchased, thus making it easy to install malicious apps from a third-party app store without you even knowing it.
The graphic below gives you a visual of how it works.
The FairPlay MITM technique has been in use since 2013 to spread pirated iOS apps, but this is the first time it’s being used to spread malware.
Unfortunately, the report didn’t specify exactly what the malware does once it takes up residence on your device. Malware generally consists of malicious code that’s used to either gain access to a device to steal information or to render the device useless.
The Windows client used to carry out the attack is called Aisi Helper. Created in 2015, Aisi Helper is marketed as a software that provides system re-installation, jailbreaking, system backup, device management, and system cleaning for iOS devices. However, it can also install malicious apps on any iOS device connected to a computer that the Aisi Helper software is installed on. These malicious apps can connect to a third-party app store to download iOS apps or games, and they encourage users to enter their Apple IDs and passwords for more features. And of course, these IDs and passwords get uploaded to AceDeceiver’s server.
It was also discovered that AceDeceiver was able to spread without a PC. Palo Alto revealed three different iOS apps in the AceDeceiver family that were uploaded to the official App Store between July 2015 and February 2016: 壁纸助手 (which roughly translates to “Wallpaper Assistant”), AS Wallpaper, and i4picture. What’s scary about this is that all three apps bypassed Apple’s code review at least seven times because each app behaved differently based on the physical geographic region. These apps only displayed malicious behaviors if the devices were in China.
Apple removed all three apps from the App Store after Palo Alto reported them. However, Palo Alto says the attack is still viable because the FairPlay MITM attack only needs these apps to be available in the App Store once. If an attacker obtains a copy of the authorization from Apple, these apps could be spread to other devices without them physically being in the App Store.
At the moment, AceDeceiver only affects iPhone and iPad users in China, but based on the fact that it can affect non-jailbroken iOS devices, Palo Alto thinks we could see it spread to more regions soon. This could be from the original attacker or a completely new attack based on a similar technique.
How to protect yourself
Chances are very slim that you currently have the AceDeceiver malware on your iPhone or iPad. As of right now, Palo Alto estimates about 15 million people used the Aisi Helper software, and they are all in China. That sounds like a high number, but when you consider all the iPhones and iPads worldwide, it’s a small percentage. However, you still need to keep some things in mind since it’s likely that similar attacks will take place in different regions.
The first obvious thing you need to do is avoid the Aisi Helper software. However, as Palo Alto warns, versions of the software under a different name could be out in the wild. We recommend that you avoid any third-party software for iOS devices. If it wasn’t developed by Apple, stay away from it.
If you did fall victim to installing malicious PC software, the app(s) that it installs on your iPhone or iPad will at least be visible with an icon. You should immediately uninstall any apps that you know you didn’t install yourself.
You also want to make sure to avoid any third-party app stores, and more importantly, never input your Apple ID and password in any third-party app that promises to give you the same apps and games you can get from the official App Store.
It’s also important that you always download and install the latest version of iOS. Now that Apple has all the necessary information regarding AceDeceiver, it will likely issue a patch in a future update. However, older versions of the iOS software will still be vulnerable.
This is a very complicated exploit so we encourage you to check out the full report from Palo Alto Networks on AceDeceiver for more information.
