iOS Trojan “AceDeceiver” Skirts Apple’s DRM To Inject Malware, Here’s How To Avoid It
A new iOS trojan called AceDeceiver has been identified that has the ability to infect iPhones and iPads without the need for them to be jailbroken. Discovered by Palo Alto Networks and currently only affecting users in China, AceDeceiver uses a technique known as a “FairPlay Man-in-the-Middle,” and is spread via pirated App Store apps.
FairPlay is Apple’s digital rights management software, or DRM, and is what ensures that apps installed on iOS devices are of a legitimate origin rather than being pirated. Unfortunately, this very protection is the thing that is currently allowing some Chinese iOS users to become infected with the AceDeceiver trojan. This is because of the way FairPlay works, such as the use of an authorization code that is required each time an iOS app is installed. This code, once stolen from a legitimate iOS App Store app, can then be used to install infected apps onto an iPhone or iPad without the user’s knowledge.
Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.
They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.
A Windows-based iPhone management app, called “Aisi Helper,” has been used as the attack vector for AceDeceiver, with users who download the tool then inadvertently giving the trojan easy access to their devices via the installation of pirated apps. Of course, all of this could be avoided if people didn’t steal apps, but that may be a conversation for a different time.
The end game here is the collection of Apple IDs as well as passwords, so if you do live in China and have used Aisi Helper, we suggest resetting your Apple ID password and turning 2-factor authentication on ASAP. Hopefully, it’s not too late. You can find the instructions on how to do so here: How To Enable Two-Step Verification For Apple ID / iTunes / iCloud.
iOS client injected by the Aisi Helper Windows app showing screens for installation of pirated apps and entry of Apple ID credentials