Wednesday, 16 March 2016

First iOS Trojan To Exploit Apple DRM Flaw

Today Palo Alto Networks research centre announced that it had found the first iOS Trojan to exploit a flaw in Apple's Digital Rights Management (DRM) protection mechanism.  The Trojan has been called AceDeceiver, and, a name you will understand when you learn how it sneaks onto iOS devices.

AceDeceiver uploads Apple IDs and passwords to its command an control server, despite what the text on the various dialogue boxes would have you believe in the cover functionality.

Apple's DRM mechanism is called FairPlay, which was based on the technology of a company called Veridisc. The technique has been known for some time: it's called the FairPlay Man In the Middle. It has previously been used to spread pirated apps but not malware.  In some ways it was only a matter of time.

Originally discussed at USENIX 2014, FairPlay Man In The Middle does not require the device to jailbroken, as in some previous methods to achieve the same. 

The attack by AceDeciver is described by the researchers thus:

Apple allows users [to] purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.

Description of AceDeceiver Trojan by Palo Alto Networks
Previous iOS malware has typically abused enterprise certificates in order to spread and be allowed to install on iOS devices.  Ace Deceiver marks a worrying new departure.  Three different apps were placed in the official App Store between July 2015 and February 2016, which were part of the AceDeceiver family.  They have been removed now but it means they must have eluded Apple's code review processes at least seven times. This was seen by the same group of researchers with an app called ZergHelper

Currently it looks like affected user are mainly in China but (and its the reason we should all take note) this Trojan shows how malware can and will hit iOS without the need for enterprise certificates (and hence MDM control) and the problem has yet to be patched.  Although this requires the users PC to be infected first, once it is infected the iOS device is attacked in the background without the user being aware of any actions being taken by the devices.

If you are responsible for security in your organisation I suggest you familiarise yourself with this new form of Trojan as it is only a matter of time before further malware makes use of the same attack vector.  If anyone in your IT estate has installed Aisi helper app then uninstall at once and have those affected change their Apple ID.