KeyRaider iOS Malware: How to Keep Yourself Safe

Earlier this week we published an analysis of KeyRaider, which is an iOS malware family and a reminder of the risks users take when they choose to jailbreak their mobile devices.

Attackers used KeyRaider malware to steal more than 225,000 Apple accounts. KeyRaider targeted only jailbroken Apple devices, primarily through Chinese websites and apps that provide software for those jailbroken phones.

The best way to keep a mobile device safe is to keep it up to date with the latest software updates. That also means not jailbreaking your phone in the first place, as today there aren’t any Cydia repositories that perform strict security checks on apps or the tweaks used to change them.

But if your device is already jailbroken, what steps can you take to protect it against KeyRaider?

Determine if your account was stolen. WeipTech has provided a service on their website for potential victims to query whether their Apple account was stolen. But this is not comprehensive; WeipTech was only able to recover around half of stolen accounts before the attacker fixed the vulnerability.

Determine if your iOS device was infected.

  1. Install openssh server through Cydia
  2. Connect to the device through SSH
  3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
    1. wushidou
    2. gotoip4
    3. bamu
    4. getHanzi

Delete the malware. If any dylib file contains any one of these strings, we urge you to delete it and delete the plist file with the same filename, then reboot the device.

Change your password. We suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs.


What should you do if your phone is being held for ransom?

In this case, your best chance of recovering your phone is if you already have OpenSSH installed on the device. If so, log in and delete the malware following the steps above. If you don’t already have Open SSH installed, it’s going to be much more challenging to get around this particular ransomware. The standard Apple password reset and rescue are not going to function properly with this attack.

Beyond KeyRaider, what steps can a user with a jailbroken phone take to protect themselves?

Jailbreaking an iOS device removes a lot of the protection that Apple has put in place to prevent malware infections. Once those are gone, the responsibility is really on the user to avoid getting infected. Don’t install pirated software and only install software from sources you trust. Even then, your device is at risk so you should avoid using it for sensitive transactions like online banking.

For full details on KeyRaider, check out this week’s research blog post.

Got something to say?

Get updates: Unit42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42