'AceDeceiver' iOS Trojan Spotted in China, Bypasses Apple's DRM Mechanism

by

A new iOS trojan has been found in the wild that's able to infect non-jailbroken iOS devices through PCs without the need to exploit an enterprise certificate. Named "AceDeceiver," the malware was discovered by Palo Alto Networks and is currently affecting iOS users in China.

AceDeceiver infects an iOS device by taking advantage of flaws in FairPlay, Apple's digital rights management (DRM) system. According to Palo Alto Networks, it uses a technique called "FairPlay Man-in-the-Middle," which has been used to spread pirated iOS apps in the past by using fake iTunes software and spoofed authorization codes to get the apps on iOS devices. The same technique is now being used to spread the AceDeceiver malware.

acedeceiverfairplaymitm

Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.

They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user's knowledge.

From July of 2015 to February of 2016, three AceDeceiver iOS apps were uploaded to the official iOS App Store, posing as wallpaper apps and providing attackers with a fake authorization code to use in the AceDeceiver attacks.

A Windows iPhone management app called "Aisi Helper" that claimed to provide services like system backup and cleaning was installed by users in China, and it went on to install malicious iOS apps on connected devices. The apps were designed to be third-party App Stores with free content to bait users into using them and submitting their Apple IDs and passwords. Apple ID information was then uploaded to the AceDeceiver server.

Though Apple removed the original AceDeceiver iOS apps from the App Store in February (the ones used by the hackers to obtain the authorization codes), the attack remains active because attackers still have the authorization codes necessary to install fake apps on iOS devices. AceDeceiver only affects users in China, but Palo Alto Networks believes the AceDeceiver trojan or similar malware could spread to additional regions in the future. AceDeceiver is especially insidious as it has not been patched (and could work on older versions of iOS even when patched), installs apps automatically from an infected computer, and does not require an enterprise certificate.

acedeceiveriosapp

An AceDeceiver third-party App Store app installed automatically on an iOS device through a computer using the Aisi Helper Malware

AceDeceiver in its current incarnation requires users to download the Aisi Helper Windows app to their computers before the malware can spread to iOS devices, so people who have downloaded this software should remove it immediately and change their Apple ID passwords. In the future, AceDeceiver can be avoided by not downloading suspicious software.

Palo Alto Networks has a full rundown of AceDeceiver, its history, and how it works on the Palo Alto Networks website. It's well worth reading for anyone who wants more information about the malware.

Tags: Malware, Palo Alto Networks

Popular Stories

iPhone SE 4 Thumb 1

iPhone SE 4 With Apple's Own 5G Modem 'Confirmed' to Launch in March

Tuesday November 19, 2024 12:12 pm PST by
Barclays analyst Tom O'Malley and his colleagues recently traveled to Asia to meet with various electronics manufacturers and suppliers. In a research note this week, outlining key takeaways from the trip, the analysts said they have "confirmed" that a fourth-generation iPhone SE with an Apple-designed 5G modem is slated to launch towards the end of the first quarter next year. In line with previo...
Read Full Article131 comments
at t turbo indicator iphone 16 pro max v0 8hrh7w5f3w1e1

AT&T Turbo Indicator Showing Up in iPhone Status Bar for Subscribers

Wednesday November 20, 2024 3:42 am PST by
AT&T has begun displaying "Turbo" in the iPhone carrier label for customers subscribed to its premium network prioritization service, according to reports on Reddit. The new indicator seems to have started appearing after users updated to iOS 18.1.1, but that could be just coincidence. Image credit: Reddit user No_Highlight7476 The Turbo feature provides enhanced network performance through ...
Read Full Article105 comments
General Black Friday Deals 24 Green Tinsel

Apple Black Friday Deals Available Now: AirPods, iPads, and More

Friday November 22, 2024 5:28 am PST by
We're officially just one week away from Black Friday, which will take place on Friday, November 29 in 2024. As always, this week is the best time of the year to shop for great deals, including popular Apple products like AirPods, iPad, Apple Watch, and more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small...
Read Full Article29 comments
anker new xmas 1

Anker Kicks Off Massive Black Friday Sale With Up to 50% Off Sitewide, Free Gifts With Purchase, Mystery Boxes, and More

Thursday November 21, 2024 7:53 am PST by
Anker today kicked off its big Black Friday sale, which is set to run through December 9. This sale includes notable discounts on portable chargers, USB-C hubs, cables, and more. Note: MacRumors is an affiliate partner with Anker. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. There are a few bonus offers during this event as ...
Read Full Article22 comments
Apple 2024 Black Friday Shopping Event feature

Apple Announces 2024 Black Friday Event, Offering Up to $200 Gift Card

Thursday November 21, 2024 5:10 am PST by
Apple's annual four-day Black Friday through Cyber Monday shopping event is returning on Friday, November 29 through Monday, December 2 in many countries, including the U.S., Canada, Australia, France, Germany, Italy, Spain, the U.K., and others. During the event, customers can get an Apple gift card with the purchase of an eligible product. In the U.S., for instance, Apple is including gift ...
Read Full Article64 comments
apple card feature2

Apple Card 3% Daily Cash Back Now Available From Two More Apple Partners

Tuesday November 19, 2024 10:36 am PST by
Apple has partnered with select merchants to offer Apple Card users three percent Daily Cash back on their purchases, and two new companies were added to the partner list today. When purchasing goods and services from Booking.com and ChargePoint, Apple Card users will now get more cash back. Booking.com is a site for reserving flights, cars, cruises, and hotels, while ChargePoint sells...
Read Full Article12 comments
Generic iOS 18 Feature Real Mock

Apple Releases iOS 18.1.1 and iPadOS 18.1.1 With Security Fixes

Tuesday November 19, 2024 10:10 am PST by
Apple today released iOS 18.1.1 and iPadOS 18.1.1, minor updates to the iOS 18 and iPadOS 18 operating systems that debuted earlier in September. iOS 18.1.1 and iPadOS 18.1.1 come three weeks after the launch of iOS 18.1. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. Apple has also released iOS 17.7.2 for...
Read Full Article29 comments
15 inch m3 macbook air

Amazon Takes Up to $300 Off M3 MacBook Air With New All-Time Low Prices

Wednesday November 20, 2024 7:05 am PST by
Amazon today has knocked the price off of multiple M3 MacBook Air models, with as much as $300 off select computers. Prices start at $849.00 for the 13-inch M3 MacBook Air (16GB RAM/256GB), and also include multiple 15-inch models as well. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site ...
Read Full Article22 comments

Top Rated Comments

OldSchoolMacGuy Avatar
OldSchoolMacGuy
113 months ago
Installing software from a questionable source and get hacked? No way!
Score: 18 Votes (Like | Disagree)
macintoshmac Avatar
macintoshmac
113 months ago
"Though Apple removed the apps from the App Store in February, the attack remains active because attackers still have the authorization code,"

This. This is why Apple should never bow down to the FBI in the first place, and make sure that FBI knows this that nothing is secure in this world except content in a person's head. And philosophically, Alzheimer's is one of the the virus/ malware/ trojans that can wreck havoc to that data as well, making nothing at all truly completely secure and safe.

Apple can remove the GovernmentOS but the code once created can and most likely will be out in the wild very soon. That is a risk that nobody should take.
Score: 10 Votes (Like | Disagree)
hfletcher Avatar
hfletcher
113 months ago
So in order for iOS to be infected, you need to install a 'fake' iTunes to begin with?
Score: 10 Votes (Like | Disagree)
Norbs12 Avatar
Norbs12
113 months ago
What do you expect... you do shady sh*t without fully understanding it, shady sh*t happens to you.
Score: 8 Votes (Like | Disagree)
ForkHandles Avatar
ForkHandles
113 months ago
Good old China. Can't create or do anything productive so they have to hack others. They really are one of the worst countries on the planet.
Did you really just say that China makes nothing? Since they seem to make everything , what did you mean?
Score: 8 Votes (Like | Disagree)
Sirious Avatar
Sirious
113 months ago
Is iOS getting weaker by the day?



Attachment Image
Score: 8 Votes (Like | Disagree)
Read All Comments