Everything you need to know about the AceDeceiver iOS Malware
Researchers at Palo Alto Networks recently identified a new iOS malware, called AceDeceiver. What’s different about AceDeceiver as compared to other variations of iOS malware, that abuse enterprise certificates, it manages to install itself without any enterprise certificate at all. It exploits design flaws (make sure you read about Skycure’s discovery on Malicious Profiles – yet another vulnerability that is by design) in Apple’s DRM mechanism. Though Apple has removed AceDeceiver from App Store, it may still spread using other attack vectors. Though the vulnerability was just announced yesterday, we are pleased to announce that Enterprise Edition of Skycure already detects and protects against this and other known and unknown iOS malware.
How does it work?
AceDeceiver is probably the first iOS malware that abuses design flaws in Apple’s DRM protection mechanism (FairPlay) to install malicious apps on both jail-broken and non-jail-broken iOS devices. This technique is called “FairPlay Man-In-The-Middle (MITM)” and has been used since 2013 to spread pirated iOS apps, but this is probably the first time it has been used to spread malware.
Apple allows users to purchase and download iOS apps using their computers and then transfer the app to their iOS devices. iOS devices request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, an attacker can use the following steps to install a malicious application on iOS devices (such as iPhones and iPads):
- Attacker purchases any app from App Store
- They intercept and save the authorization code
- They develop computer software that simulates iTunes
- They trick the user’s iOS device into believing that the app was actually purchased by victim and hence can install any potentially malicious app without the user’s knowledge.
AceDeceiver can be used to steal Apple id and password of the victim, make purchases on their behalf and also steal other sensitive information on the device.
Remediation of AceDeceiver iOS Malware
All the AceDeceiver Trojan apps have been removed from the App Store. However, the Aisi Helper Windows client can still install these apps to non-jailbroken iOS devices using a FairPlay MITM attack. With the Enterprise Edition of Skycure, one could detect a variety of threats including the AceDeceiver malware and apply relevant security and compliance policy to alert on, quarantine or block infected devices.
In addition, we have put together a list of recommendations to allow end-users and enterprises to be safe before other security solutions catch up on the detection and mitigation:
Recommendations for end users:
- Immediately remove Aisi Helper’s Windows client or iOS apps deployed after March 2015
- Change your Apple ID passwords
- Enable two-factor authentication for your Apple ID
- On your iOS device, go to Settings > General > Profiles and remove any malicious profile or the profiles you do not recognize. (Profiles will not show up under General if you do not have any Profiles installed.)
- Do not click on any dialogue boxes popping up on your phone unless and until you are sure about the action that caused them to appear
- Download Skycure from the Apple App Store and (if applicable) upgrade to the Enterprise Edition
Recommendations for enterprises:
- Check whether there’s any iOS app installed to managed devices by these identifiers:
- Check for unknown or abnormal provision/Malicious Profiles (example shown below)
- Check traffic from and to i4[.]cn domain to identify potential traffic of AceDeceiver
- Download Skycure from the Apple App Store and upgrade to the Enterprise Edition
- Request a free assessment to see if your organization has been impacted by AceDeceiver
Image: A sample Malicious Profile