Non-jailbroken iPhones are usually close to immune from malware
thanks to Apple vetting every app before it’s made available in the App
Store. So far, malware has relied on abusing enterprise certificates designed to allow companies to distribute apps to their own phones. But security company Palo Alto Networks has discovered a new piece of malware that can infect iPhones by exploiting a vulnerability in Apple’s DRM mechanism.
AceDeceiver is the first iOS malware
we’ve seen that abuses certain design flaws in Apple’s DRM protection
mechanism — namely FairPlay — to install malicious apps on iOS devices
regardless of whether they are jailbroken.
AceDeceiver currently uses a geotag so that it is only activated when
a user is located in China, but a simple switch could allow it to
infect iPhones elsewhere …
The mechanism used is known as FairPlay Man-in-the-Middle. This is an
approach commonly used to distribute pirated iOS apps, but this is the
first time it’s been found to install malware.
Apple allows users purchase and download
iOS apps from their App Store through the iTunes client running in their
computer. They then can use the computers to install the apps onto
their iOS devices. iOS devices will request an authorization code for
each app installed to prove the app was actually purchased. In the
FairPlay MITM attack, attackers purchase an app from App Store then
intercept and save the authorization code. They then developed PC
software that simulates the iTunes client behaviors, and tricks iOS
devices to believe the app was purchased by victim. Therefore, the user
can install apps they never actually paid for, and the creator of the
software can install potentially malicious apps without the user’s
Although Palo Alto Networks notified Apple, which removed the apps,
this doesn’t stop the attack from working as the apps only need to have
been available in the App Store once for the authorization code to work.
The good news is that so far only Windows PC users are at risk.
AceDeceiver relies on tricking iTunes users into installing a helper
client which acts as the man-in-the-middle. But Palo Alto Networks says
that the mechanism is such an easy route for installing malware that
others are likely to copy the approach.
For Mac users, the best advice as always is to keep your security
settings to allow only Mac App Store apps to be installed, or failing
that Mac App Store and identified developers. This setting can be found
under the Apple menu in System Preferences > Security & Privacy > General.