A new discovery by Palo Alto Networks indicates that there is a new trojan known as AceDeceiver, which can be installed on an iOS device without the user’s knowledge and without the help of an enterprise certificate. Once installed, it will spread malware and unwanted software to the user’s device.
AceDeceiver works by taking advantage of the FairPlay digital rights management (DRM) system that Apple has in place, through what’s called a “FairPlay Main-in-the-Middle”, as Palo Alto Networks calls it. In the past, this same method has been used to distribute pirated iOS apps by using fake iTunes software, as well as altered authorization codes. That same technique is now being used to spread the trojan.
Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.
They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.
It’s been discovered that from July 2015 to February 2016, at least three different AceDeceiver apps were uploaded to the official iOS App Store. They were apparently posing as wallpaper apps, and it gave those behind the apps fake authorization codes to use in the attack. On top of that, a Windows-based iPhone management app called “Aisi Helper” (which claimed to offer system backup services), has been used to install malicious iOS apps to iOS devices that are connected directly to the PC. It did so by offering access to a third-party app store, which offered free apps. That third-party app store could only be accessed by inputting the user’s Apple ID and password, to which it immediately became available to the attackers.
Though Apple removed the apps from the App Store in February, the attack remains active because attackers still have the authorization code, AceDeceiver only affects users in China, but Palo Alto Networks believes the AceDeceiver trojan or similar malware could spread around to additional regions. It is especially insidious as it has not been patched (and could work on older versions of iOS even when patched), installs apps automatically from an infected computer, and does not require an enterprise certificate.
AceDeceiver in its current incarnation requires users to download the Aisi Helper Windows app to their computers before the malware can spread to iOS devices, so people who have downloaded this software should remove it immediately and change their Apple ID passwords. In the future, AceDeceiver can be avoided by not downloading suspicious software.
Other steps to take, as recommended by Palo Alto Networks, include:
- Check to make sure no strange enterprise certificates have been installed on your device
- Check to make sure no strange provisioning profiles have been installed on your device
- Enable two-factor authentication for your Apple ID
- Change your Apple ID password as soon as possible
The security firm also notes that any enterprise certificates or provisioning profiles related to AceDeceiver could have names equal or similar to:
The best course of action at this point is for anyone that has installed the Aisi Helper app on their Windows-based PC to remove it immediately. You can also read up on AceDeceiver on Palo Alto Network’s website, available through the source link below.
‘AceDeceiver’ New iOS trojan Can Bypasses Apple’s DRM Mechanism