The security track record of Apple’s locked-down mobile operating system has been so spotless that any hairline fracture in its protections makes headlines. So when security researchers revealed that a new flavor of malware known as AceDeceiver had found its way onto as many as 6.6 million Chinese iPhones, the news was covered like a kind of smartphone bird flu, originating in Asia but bound to infect the globe. But for iPhone owners, the lesson is an old one: Don’t go to extraordinary lengths to install sketchy pirated apps on your phone, and you should be fine.

“Everyone’s blown this way out of proportion,” says iOS security researcher and forensics expert Jonathan Zdziarski. “In its current form, this isn’t dangerous except to the exceptionally stupid.”

The Hack

Researchers at Palo Alto Networks on Wednesday published a detailed blog post revealing that Chinese software has been using a set of clever techniques to bypass Apple’s security restrictions. The hack was pulled off by the developers of a Chinese-language desktop program for Windows called AiSiHelper, designed to interface with iPhones to let anyone jailbreak phones, back them up, and install pirated apps. When AiSiHelper is installed on a PC and an iPhone or iPad is connected to it, the desktop program automatically plants its own rogue third-party app store app on your iPhone or iPad, which then prompts you for your AppleID and password and sends any credentials you enter to a remote server. (Palo Alto Networks notes that it’s not clear if those credentials have yet been abused for fraud.)

To circumvent Apple’s installation restrictions, the AiSiHelper developers used two significant tricks: They snuck three versions of their app into the App Store by making them appear to Westerner as benign wallpaper apps while hiding their password-demanding features in the versions tailored to the Chinese market. And more importantly, they took advantage of a man-in-the-middle vulnerability in Apple’s Fairplay anti-piracy system that allowed the developers to continue to install their apps on iPhones from their desktop software even after the apps had been detected by Apple and removed from the app store. Apple didn’t respond to WIRED’s request for comment on that Fairplay vulnerability or the company’s failure to catch the sketchy apps in its App Store code reviews.

Who’s Affected?

According to Palo Alto Networks, AiSiHelper has 15 million downloads and 6.6 million active users, and its rogue app installation targets people in mainland China. It’s not the first time that unsavory developers have taken advantage of the popularity of pirated apps in China to spread nasty code: A piece of password-stealing malware infected 225,000 jailbroken iPhones last year. But AceDeceiver has spooked the security community by breaking Apple’s security restrictions even on non-jailbroken iPhones.

Security researchers are more concerned that AceDeceiver’s disturbingly clever techniques could be replicated to attack people who weren’t already seeking to install unauthorized apps on their phone. If hackers could quietly install a piece of malware on your desktop machine—as opposed to Chinese iPhone owners’ voluntary installation of AiSiHelper on their PCs—they might be able to pull off the same Fairplay man-in-the-middle trick to inject malicious apps onto your iPhone, too. “It’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique,” wrote Palo Alto researcher Claud Xiao in the firm’s blog post.

How Serious Is This?

Despite AceDeceiver’s innovations, however, even Palo Alto’s own researchers admit that it doesn’t pose much of a very realistic threat to anyone who’s not actively seeking to put shady apps on their device. Instead, argues Palo Alto researcher Ryan Olson, it’s more likely that incautious people like those who installed AiSiHelper will again use the technique to install pirated, unauthorized programs that come with unwanted side effects. “We likely will see this attack used again in the future, but …it’s probably going to be in a similar model,” says Olson. “People installing software to pirate apps which abuses this loophole and may introduce malicious behavior, rather than widespread infections.”

As for the scenario where the same technique is repurposed by invisible desktop malware to smuggle an evil app onto the user’s iPhone, iOS security researcher Zdziarski argues it’s possible, but farfetched. The technique would first require sneaking that evil app past Apple’s app store security review. The victim’s desktop machine would have to be infected with malware. And even then the malicious app would be restricted to its own “sandbox” on the device and unable to access other apps’ processes or data. And if an attacker has access to a desktop, Zdziarski points out, why try to install a rogue app when he could just install ransomware or spyware directly on the PC, or even take iCloud tokens from the computer to steal the person’s iPhone’s secrets? “The technical capability is there, but I’m not sure how useful this is to an attacker,” Zdziarski says. “Why screw around installing an app that asks for their password when you already have full access to their data?”

In other words, it’s unlikely that AceDeceiver’s techniques would make an attacker’s job easier unless someone is actively seeking to circumvent Apple’s protections. The lesson for iPhone owners remains: If you don’t want rogue apps plaguing your pristine device, don’t go looking for them.

Source article: 

Hack Brief: No Need to Freak Out Over That Chinese iPhone Malware