Protection and Prevention
It’s important to remember that KeyRaider only impacts jailbroken iOS devices. Users of non-jailbroken iPhones or iPads will not be affected by this attack.
WeipTech has provided a query service in their website
iCloud账号泄露查询 - By 威锋技术组 for potential victims to query whether their Apple accounts was stolen. Palo Alto Networks provided the stolen account information to Apple in August 26.. Worth noting is that WeipTech was only able to recover around half of stolen accounts before the attacker fixed the vulnerability. Users who have ever installed apps or tweaks from untrusted Cydia sources could also be affected.
Palo Alto Networks has released DNS signatures to cover KeyRaider’s C2 traffic to prevent the malware from relaying credentials in protected networks.
Users can use the following method to determine by themselves whether their iOS devices was infected:
- Install openssh server through Cydia
- Connect to the device through SSH
- Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:
- wushidou
- gotoip4
- bamu
- getHanzi
If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.
We also suggest all affected users change their Apple account password after removing the malware, and
enable two-factor verifications for Apple IDs.
Our primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your iPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict security checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk.
448
358
221
216
134
114
60
28
11
