Trojan Hooks Apple’s FairPlay DRM System
Friday, March 18, 2016 @ 02:03 PM gHale
There is a new iOS Trojan that can infect jailbroken and non-jailbroken Apple devices, leveraging a design flaw in the FairPlay DRM system.
This design flaw is not new, it is FairPlay Man-in-the-Middle (MitM), and found for the first time in February 2013. It ended up used for spreading pirated apps.
The iOS Trojan, called AceDeceiver, marks the first time a FairPlay MitM attack ended up used to spread malware, said researchers at Palo Alto Networks.
FairPlay MitM is a simple approach where the attacker plays an intermediary role between the App Store and a user’s computer or iOS device.
When a user purchases an app from the App Store, they can optionally save it on their computer. When they want to install this app, the user, using iTunes installed on his computer, will request and receive an authorization code from Apple, to install the app on one of his devices, researchers said.
A flaw in the FairPlay DRM allows the attacker to request this authorization code and then pass it to whatever device he chooses to.
To turn FairPlay MitMs into a weapon, attackers created a Windows software package called called Aisi Helper, which also includes tools for jailbreaking devices, creating backups, and performing system cleaning operations, researchers said.
This software also comes with a feature that allows users to install apps on their devices, some of which are on Apple’s App Store, some of which come from third-party stores.
Aisi Helper makes users think they’ve bought and paid for authentic apps from Apple’s App Store when the bad guys are recycling authorization codes while also using Aisi Helper to send malicious apps to the user’s iOS device, researchers said.
Since FairPlay will block these apps from installing on the device, attackers also needed authorization codes from Apple’s App Store for their malicious apps, infected with AceDeceiver.
Using a bypass technique, AceDeceiver operators managed to upload three such apps on Apple’s store.
Once on the official store, attackers downloaded the apps on their devices, received the authorization code, and used these codes to forcibly push their malicious apps, infected with AceDeceiver, to any user that connected an iOS device to a PC running Aisi Helper, researchers said.
This installation process remained hidden from view and continued to work after Apple detected the three AceDeceiver-infected apps and removed them from its store.
This happened because the authorization code remained valid, allowing the crooks to bypass the iOS device’s FairPlay DRM system at later points, after Apple banned the original apps.
The AceDeceiver Trojan can steal Apple ID credentials, and will also act as a third-party store for installing other apps on infected devices for Chinese users.
The name of the three AceDeceiver infected apps are aisi.aisiring, aswallpaper.mito, and i4.picture. Apple removed them from its official store.
Click here for more information on the flaw.