Palo Alto Networks has discovered a new family of iOS malware that has successfully infected non-jailbroken devices, codenamed AceDeceiver.
Instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all.
It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.
Palo Alto said AceDeceiver is the first iOS malware found to abuse certain design flaws in Apple’s DRM protection mechanism FairPlay to install malicious apps on iOS devices regardless of whether they are jailbroken.
This technique is called “FairPlay Man-In-The-Middle (MITM)” and has been used since 2013 to spread pirated iOS apps, but this is the first time we’ve seen it used to spread malware.
Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016 - all disguised as wallpaper apps.
These apps successfully bypassed Apple’s code review at least seven times - including the first time each was uploaded and then four rounds of code updates, which require an additional review by Apple each time.
The app tailors its behavior based on the physical geographic region in which it’s being executed - currently to only display malicious behaviors when a user is located in China, but that would be easy for the attacker to change in any time.
Apple removed these three apps from the App Store after Palo Alto reported them in late February, but the attack is still viable because the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps.