A malware named ‘KeyRaider’ contributes to the world’s largest iCloud hijack and is speculated to affect over 225,000 jailbroken Apple devices.

Modified or jailbroken iOS running Apple devices have been targeted by a sophisticated malware called KeyRaider that stole more than 225,000 Apple accounts in a hijacking spree, reports The Register.

Amateur cybersecurity enthusiasts in China calling themselves WeipTech were notified about multiple reports of Apple users’ accounts being charged due to unauthorized purchases. The team quickly informed security researchers at Palo Alto and discovered that these unauthorized purchases affected jailbroken Apple devices.

Related Article: Two Zero-Day Vulnerabilities Discovered in Apple’s OS X

Upon further research, the researchers found a ‘tweak’ installed in the targeted devices. This modification was gathering user information before uploading it to a remote server.

It was here that the researchers discovered a database containing over 225,000 entries that consisted of encrypted data and plaintext. Plaintext entries included Apple IDs and usernames, passwords and GUIDS.

Claud Xiao of Palo Alto Networks wrote in a blog post explaining the attack, saying:

“By reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed key of “mischa07″. The encrypted usernames and passwords can be successfully decrypted using this static key.

“They then confirmed that the listed user names were all Apple accounts and validated some of the credentials.”

Significantly, the KeyRaider malware stealing user and device data only affects jailbroken iOS devices. The malware is being distributed through various Cydia repositories on a Chinese Apple fan site, Weiphone.

The threat is estimated to impact users from 18 countries. They include Japan, China, France, Russia, United States, United Kingdom, Canada, Germany, Australia, Israel, Spain, Singapore and South Korea.

“We believe this to be the largest known Apple account theft caused by malware,” wrote Xiao before adding: “KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.”

The malware completes a hijack by disabling the unlock mechanism on iPhones and iPads, both remotely and locally. Multiple reports have surfaced where victims have been forced to submit to ransom demands.

Xiao recommends all affected users with a jailbroken device to change the Apple account password after removing the malware (instructions here). Two-factor verification is also strongly recommended.

Image credit: PixaBay