Additional information pertaining to the iCloud account compromise that we reported about last week has now been made public, including a way of checking if you’ve been compromised.
It seems that approximately 225,000 accounts may have been compromised by the malware used for stealth attacks. Those iCloud accounts are said to have orientated from eighteen different countries, including China, France, Australia, Israel, Germany, Italy, Spain, South Korea, and Singapore to name a few. As we previously reported, only jailbroken iOS devices have been affected by this breach. This corroborates our suggestion that the malware was distributed via multiple shady repositories and tweaks.
So yes, if you’re not jailbroken, you are safe from this hack. Also, if you’re jailbroken and have never installed pirated jailbreak tweaks from shady repositories, you should be mostly safe, too.
But if you’re jailbroken and have been installing jailbreak tweaks from shady repositories, chances are that this malware – going by the name of KeyRaider – may have infected your device.
When a tweak which is infected with KeyRaider is installed on a jailbroken iOS device, it sets about stealing Apple credentials and GUIDs (globally unique identifiers) and then uses it in a number of malicious ways. The most extreme use case is holding affected devices to ransom by remotely disabling the ability to unlock a device:
It can locally disable any kind of unlocking operations, whether the correct passcode or password has been entered. Also, it can send a notification message demanding a ransom directly using the stolen certificate and private key, without going through Apple’s push server.
If you have a jailbroken device, have added non-stock Cydia repositories, installed dubious third-party tweaks, and noticed suspicious activity on your Apple account, then you may have been affected by KeyRaider. Palo Alto Networks and WeipTech have put together a web-based tool at weiptech.org to help you check if your account has been compromised. The site is in Chinese language but you should be able to use it using Google Translate. Simply enter your email address associated with your Apple account to inquire if your Apple ID has been compromised.
Also, we can’t stress this enough, turn on two-step verification for your Apple ID/iCloud account now if you haven’t already. You can follow the instructions here on how to do it: How To Enable Two-Step Verification For Apple ID / iTunes / iCloud.