Information about Installing the AceDeceiver Malware:
The main goal of hackers when working with Apple mobile devices is to try to install any kind of applications even on those that are not jailbroken.Now, hackers are using a flaw affecting Apple’s Digital Rights Management (DRM) technology to achieve their goal and install malicious apps on every mobile device.
Recently, a group of experts from the security firm PaloAlto Networks noticed three malicious applications deployed on the official App Store. Fraudsters uploaded and updated three different mobile apps between July 2015 and February 2016; were developed to steal Apple IDs and passwords mainly from Chinese users.
The first app was available for download from July 10, 2015, the second from November 7, 2015, and the third from January 30, 2016.
It is interesting to note that these three applications can be installed silently with the software running on Windows computers.
These malicious iOS apps were used by fraudsters to connect devices to a third-party app store controlled by attackers who served malicious code wrapped in iOS apps or games.
Officially, the only way to install a mobile app on an iOS device that has not been jailbroken is to download it from the official Apple Store or install it via iTunes software from the users computer. In this second scenario, the device verifies the app’s legitimate origin using Apple’s FairPlay DRM technology.
At the USENIX conference in 2014, a group of experts from the Georgia Institute of Technology presented a method of installing any application on an IOS device, if it was previously obtained with a different Apple ID, through iTunes.
The attack scenario proposed by the expert is clear; sees a hacker remotely installing mobile apps on an iOS device connected to an already compromised computer.
Now researchers at Palo Alto Networks have confirmed that hackers in the wild are using this trick to serve up a malicious app called AceDeceiver on non-jailbroken devices.
Unlike most iOS malware strains, the AceDeceiver threat can infect iPhones without jailbreak.
AceDeceiver differs from threats previously discovered in the wild; instead of digitally signing malicious code and certificates, it uses a flaw in the DRM mechanism.
“We have discovered a new family of iOS malware that has successfully infected non-jailbroken devices, which we have named ‘AceDeceiver,'” according to a Palo Alto Networks blog post.
“What makes AceDeceiver different from previous iOS malware is that instead of abusing corporate certificates like some iOS malware in the last two years, AceDeceiver can install itself without any corporate certificate. It does so by exploiting design flaws in Apple’s DRM mechanism, and although Apple has removed AceDeceiver from the App Store, it can still spread thanks to a new attack vector.
How does AceDeceiver work?
The attackers first uploaded their legitimate apps to the App Store and managed to pass Apple’s review process by submitting them as wallpapers. Once Apple approves the apps and deploys them to the official Apple Store, they purchase the apps through iTunes to get the FairPlay DRM authorization code.
Fraudsters have developed client software called Aisi Helper Windows that impersonates the iTunes client in order to store and send authorization codes for apps. Authorization codes could be used to trick a connected iOS device into believing that apps were legitimately purchased from an official store. The authorization code will be used by hackers to install unlimited copies of many iPhones, iPods and iPads that they like.
Fraudsters distributed the client software in China by posing as a utility for iOS devices that can perform system reinstallation, jailbreaking, system backup, device management, and system cleaning.
“To carry out the attack, the author created a Windows client named “爱思助前 (Aisi Helper) to carry out the FairPlay MITM attack. Aisi Helper is supposed to be a software that provides services for iOS devices such as system reinstallation, jailbreaking, system backup, device management and system cleaning. the post continues.
Aisi Helper was developed by a company based in Shenzhen, China, and experts also noticed that AceDeceiver uses the same domain name as the product’s official website, www.i4[.]cn, as its command and control server. Threat actors used third-level URLs in this domain to download and update.
Aisi Helper was first released in January 2014 when it did not present malicious behavior. As of December 2014, the tool has become very popular, reaching more than 15 million users and more than 6.6 million monthly active users. The malicious feature was added later in 2015.
Experts have noticed that when a user accesses the official website from a computer, it prompts them to install the Aisi Helper PC client. Mobile users accessing the site from an Apple device will be redirected to the mobile version of the site (m.i4[.]cn) and recommended an enterprise certificate signed by its iOS client version.
“During our investigation in February 2016, all Aisi Helper Windows or iOS clients downloaded from the official website of the AceDeceiver Trojan horse contained.” It reports analysis published by Paloalto.
When users connected their iOS devices to a computer running this software, it silently installed AceDeceiver using an authorization code captured when the app was first deployed on the official store.
“By deploying an authorized computer on the C2 server and using client software as an agent in the middle, an attacker can distribute a purchased iOS application to an unlimited number of iOS devices.” reads the post.
The “FairPlay Man-In-The-Middle (MITM)” hacking technique is not new; since 2013, it has been used by malware to install pirated apps on Apple mobile devices. Every time users want to install a pirated copy of a legitimate app; they need to obtain an authorization code for a legitimate FairPlay application.
The hacking technique still works even after Apple removes AceDeceiver apps from the official Apple App Store because the attackers already have the authorization code they need to complete the installation.
Back to the AceDeceiver case, Apple removed the malicious app from the official store after PaloAlto experts reported their discovery in late February 2016. Unfortunately, the attack is still viable for the above reason.
“As long as an attacker could obtain a copy of the authorization from Apple, the attack does not require the current availability of the App Store to distribute these applications.” PaloAlto Networks experts say so. “Even if the app has been removed from the App Store, attackers can still distribute their own copies to iOS users.” explained a team of experts at the USENIX conference.
Below the AceDeceiver timeline published by PaloAlto Networks
| Jan 2013: FairPlay MITM attack has been used in the wild to spread pirated iOS apps. |
| Aug 2014: Researchers published paper to describe FairPlay MITM attack in the 23rd USENIX Security Symposium |
| Mar 26, 2015: AceDeceiver’s enterprise certificate signed iOS apps added password stealing functionality. These apps were embedded into Aisi Helper Windows clients. |
| Jul 10, 2015: AceDeceiver’s iOS app “爱思助手” was available in HK and NZ App Store |
| Jul 24, 2015: Aisi Helper Windows client updated to embed its App Store version iOS app |
| Nov 7, 2015: AceDeceiver’s iOS app “AS Wallpaper” was available in US App Store |
| Jan 30, 2016: AceDeceiver’s iOS app “i4picture” was available in US and UK App Store |
| Feb 21, 2016: Palo Alto Networks published report on ZergHelper |
| Feb 24, 2016: Palo Alto Networks reported the AceDeceiver issue to Apple |
| Feb 25, 2016: AceDeceiver apps were removed from App Store |
| Feb 26, 2016: Palo Alto Networks reported the FairPlay MITM attack issue in AceDeceiver to Apple |
“Our AceDeceiver analysis leads us to believe that the FairPlay MITM attack will become the next popular attack vector for non-jailbroken iOS devices – and therefore a threat to Apple device users worldwide. Palo Alto Networks has released IPS signatures (38914, 38915) and updated URL filtering and threat prevention to protect customers from the AceDeceiver Trojan as well as the FairPlay MITM attack technique,” according to Palo Alto.