News of scary new iPhone malware dubbed “Key Raider” is trending online, but there’s a caveat — it only hits phones that are jailbroken.
“The average iPhone user is not affected by this,” said Tyler Reguly, manager of the vulnerability and exposure research team at Tripwire, a Portland, Ore.-based security company.
Jail breaking refers to removed the operating system hardware restrictions on an Apple device such as an iPhone, iPad or iPod. It’s done to allow downloads of non-Apple approved apps.
The malicious software was reported by security firm Palo Alto Networks earlier this week.
The malware steals Apple account usernames, passwords and device information by intercepting iTunes traffic on the user’s device.
It gets on the phone when the user downloads an infected app — one that didn’t come from Apple’s App Store, said Apple spokesman Ryan James.
“To protect our users from malware, we curate App Store content and ensure all apps in the App Store adhere to our developer guidelines,” James said. “This issue only impacts those who not only have jailbroken devices, but have also downloaded malware from untrusted sources.”
Files discovered by the researchers found at least 225,000 Apple account had been compromised.
Most will not be in the United States. By some estimates, about 8% of iPhones globally have been jailbroken, often in Asia. It’s uncommon in U.S. iPhones outside of very technically proficient circles.
The malware is actually a good example of how well Apple’s built-in security works, as long as users don’t disable it, said Nicko Van Someren, chief technology officer with mobile security company Good Technology.
“Users wanting to run unauthorized application, or wishing to innovate in their apps beyond the bounds that Apple defines, need to consider carefully if the additional functionality is worth the additional risk,” he said.
While saying inside Apple’s walled garden of apps grates on some, Key Raider reminds users that “the world outside of Apple’s universe isn’t always so safe,” said Tim Erin, director of risk strategy at Tripwire.