With a track record of practically zero mass malware infections in its eight-year history, the iPhone is a remarkably secure little computer. That is, until you jailbreak it, removing essentially all of its operating system’s security features, and start downloading shady Chinese apps. In that case, you might not be shocked—or at least shouldn’t be—to find that one of those rogue programs has been sharing your iTunes password with unsavory characters.
On Sunday, security firm Palo Alto Networks and a group of Chinese iPhone developers named Weiptech revealed that a piece of iPhone malware they call KeyRaider has stolen 225,000 iOS users’ iTunes login credentials. After someone installs the malware, which hides in packages of code that offer “tweaks” to the iPhone’s operating system, it’s designed to intercept their iTunes log-in details and send them to a remote server.
Each of those stolen accounts allows the victim’s iTunes payment information to be hijacked and used to install paid apps on other iOS devices. In fact, Palo Alto Networks says that a separate app designed to allow people to install free apps has been installed more than 20,000 times. Who is paying for those people’s free apps? KeyRaider’s victims. The researchers call the KeyRaider attack “the largest known Apple account theft caused by malware.”
The 225,000 victim accounts all apparently belong to people who jailbroke their iPhones so apps could be installed that aren’t approved by Apple’s app store. The practice is particularly popular among users outside the United States, and in this case the victims seem to be largely Chinese. Researchers came to this conclusion after WeipTech exploited a security vulnerability in the KeyRaider’s database of stolen credentials to download the entire collection and examined the email addresses associated with those accounts. Palo Alto Networks says that more than half of those addresses use the domain qq.com, a popular Chinese service. Other victims use Chinese domains like sina.com, 163.com and 139.com, though some stolen account details also include American domains like hotmail.com.
For the typical iPhone user, KeyRaider is a non-issue, since iOS’s restrictions allow you to run only code that’s been approved by Apple’s app store and cryptographically signed with the company’s key. “The average iPhone user hasn’t jailbroken their phone,” says Ryan Olson, a researcher at Palo Alto Networks. “If you’ve jailbroken your phone, you should worry about KeyRaider and a lot of other threats like it.”
For anyone unlucky enough to have infected their jailbroken iPhone with KeyRaider, the malware could be worse than someone else’s stolen iPhone apps showing up on your bill. Palo Alto Networks says that in some cases it’s also found evidence that the malware can be used to lock phones and hold them ransom. Palo Alto says it’s shared the list of stolen accounts with Apple, which didn’t immediately respond to WIRED’s request for comment.
If you believe you might be infected with KeyRaider, Palo Alto lays out a series of steps to find and delete the offending files. Then, perhaps, you should take stock of your freewheeling, jailbroken lifestyle, and consider coming back into Apple’s safe, comfortable prison with the rest of the iPhone flock.