Security company Palo Alto Networks announcedit found a Trojan that exploits flaws in Apple’s DRM without needing to abuse enterprise certificates, and they’re calling it “AceDeceiver.” Currently, AceDeceiver only activates when the device’s geotag is in China.
The process for how the malware works is a little complicated. According to Palo Alto Networks, AceDeceiver uses a mechanism called FairPlayMan-in-the-Middle, where attackers purchase apps and save the authorization code needed for it to work on an iOS device. People who download the client AiSiHelper, a program that mimics iTunes, will now be in possession of an infected computer. When they plug in their iOS device, attackers can send an authorization code to trick a victim’s device to make it believe it purchased the app, and then it will download it.
Once the app has been downloaded on a victim’s phone, it will prompt them for their Apple ID and password, which the attacker's then have access to.
According to Palo Alto Networks, this method has been used to pirate apps before, and this is the first time FairPlay MITM has been used maliciously. It also said the method is pretty simplistic, and is likely to be copied by other attackers. AceDeceiver could also be easily changed to work in regions besides China, although the security company said its region-locked activation makes it harder to be discovered by Apple or security firms.
Palo Alto Networks said that it notified Apple about AceDeceiver in late February and the AceDeceiver apps were promptly removed from the App Store.