{ "id": "ab99f828-f72e-4ebe-b7dc-5a13f244c7c4", "created_at": "2026-04-06T00:07:51.710064Z", "updated_at": "2026-04-10T13:11:31.267247Z", "deleted_at": null, "sha1_hash": "352d9991f418d2278b8f364065349004fc70b2ba", "title": "KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2047629, "plain_text": "KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to\r\nCreate Free App Utopia\r\nBy Claud Xiao\r\nPublished: 2015-08-31 · Archived: 2026-04-05 19:42:38 UTC\r\nExecutive Summary\r\nRecently, WeipTech was analyzing suspicious Apple iOS tweaks reported by users and found over 225,000 valid\r\nApple accounts with passwords stored on a server.\r\nIn cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have\r\nanalyzed the samples to determine the author’s ultimate goal and have named this malware “KeyRaider”. We\r\nbelieve this to be the largest known Apple account theft caused by malware.\r\nKeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China. In\r\ntotal, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan,\r\nUnited Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.\r\nThe malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords\r\nand device GUID by intercepting iTunes traffic on the device.  KeyRaider steals Apple push notification service\r\ncertificates and private keys, steals and shares App Store purchasing information, and disables local and remote\r\nunlocking functionalities on iPhones and iPads.\r\nKeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys,\r\nand purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself\r\ncontains vulnerabilities that expose user information.\r\nThe purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications\r\nfrom the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software\r\npackages that allow users to perform actions that aren’t typically possible on iOS.\r\nThese two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2\r\nserver, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by\r\nusers. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the\r\n225,000 stolen credentials.\r\nSome victims have reported that their stolen Apple accounts show abnormal app purchasing history and others\r\nstate that their phones have been held for ransom.\r\nPalo Alto Networks and WeipTech have provided services to detect the KeyRaider malware and identify stolen\r\ncredentials. In the remainder of this blog, we provide details about the malware and the attacks.\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 1 of 19\n\nFinding KeyRaider\r\nThe attack was first discovered by i_82, a student from Yangzhou University and member of WeipTech. WeipTech\r\n(Weiphone Tech Team) is an amateur technical group consisting of users from Weiphone – one of the largest\r\nApple fans websites in China. Previously, WeipTech cooperated with us to report on other iOS and OS X malware\r\nincluding AppBuyer and WireLurker.\r\nBeginning in July 2015, WeipTech members began investigating reports that some users’ Apple accounts were\r\nused to make unauthorized purchases and to install iOS apps. By looking at jailbreak tweaks these users had\r\ninstalled, they found one tweak that collected user information and uploaded it to an unexpected website. They\r\nthen found this website has a trivial SQL injection vulnerability that allows access to all of the records in the\r\n“top100” database (Figure 1).\r\nFigure 1. WeipTech found SQL injection vulnerability in the C2 server (from WeipTech)\r\nIn this database, WeipTech found a table named “aid” that contains 225,941 total entries. Approximately 20\r\nthousands entries include usernames, passwords and GUIDs in plaintext, while the rest of the entries are\r\nencrypted.\r\nBy reverse-engineering the jailbreak tweak, WeipTech found a piece of code that uses AES encryption with fixed\r\nkey of “mischa07”. The encrypted usernames and passwords can be successfully decrypted using this static key.\r\nThey then confirmed that the listed usernames were all Apple accounts and validated some of the credentials. The\r\nWeipTech researchers dumped around half of all entries in the database before a website administrator discovered\r\nthem and shut down the service.\r\nOn August 25, WeipTech posted about the leak on their Weibo account, submitted a vulnerability report to\r\nWooyun (a leading vulnerability crowdsourcing website in China) and forwarded the information to\r\nCNCERT/CC.\r\nWhen Palo Alto Networks researchers analyzed the tweak WeipTech mentioned in their report, we found that it\r\ndid not contain malicious code to steal passwords and upload them to the C2 server. However, through other\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 2 of 19\n\ninformation WeipTech provided to us, we determined that there was other malware in the wild that was collecting\r\nthe stolen credentials and uploading them to the same server.\r\nWe named this new iOS malware family “KeyRaider” because it raids victims’ passwords, private keys and\r\ncertificates. (Just like “Lurker” and “Reaper”, Raider is also a unit in Blizzard’s real-time strategy games.)\r\nKeyRaider Distribution\r\nKeyRaider, as far as we know, only spreads through Weiphone’s Cydia repositories for jailbroken iOS devices.\r\nUnlike other Cydia sources such as BigBoss or ModMyi, Weiphone provides private repository functionality for\r\neach registered user so that they can directly upload their own apps and tweaks and share them with each other.\r\nOne Weiphone user, named “mischa07”, uploaded at least 15 KeyRaider samples to his personal repository so far\r\nin 2015 (Figure 2). Since his user name was also hard-coded into the malware as the encryption and decryption\r\nkey (Figure 3), we strongly suspect mischa07 is KeyRaider’s original author.\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 3 of 19\n\nFigure 2. mischa07's personal Cydia repository\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 4 of 19\n\nFigure 3. \"mischa07\" was hardcoded in the malware as encryption key\r\nAccording to Weiphone’s web page, some of the tweaks mischa07 uploaded have been downloaded tens of\r\nthousands of times (Figure 4). These apps and tweaks provide functionalities such as game cheating, system\r\ntuning and app advertisement stripping.\r\nNote that there are two especially interesting tweaks in mischa07’s repository:\r\niappstore (Figure 5): Provides service to download non-free apps from Apple’s official App Store without\r\npurchase.\r\niappinbuy: Provides service to get some official App Store apps’ In-App-Purchasing items totally free.\r\nMischa07 even posted in Weiphone forum to promote these two tweaks but some users didn’t believe their\r\nsupposedly magic functionalities. However, from Weiphone’s website, the iappinbuy still received 20,199\r\ndownloads (Figure 4), while iappstore got 62 (only counting the newest version).\r\nFigure 4. One malicious sample was downloaded over 30,000 times\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 5 of 19\n\nFigure 5. The iappstore tweak can directly install non-free apps from App Store\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 6 of 19\n\nFigure 6. Author promotes his iappstore tweak\r\nAnother Weiphone user that distributed the KeyRaider malware is “氵刀八木” or “bamu”. Bamu's personal\r\nrepository is pretty popular in the community since he frequently provides useful tools. After the attack was\r\nexposed, bamu deleted almost all of malware he uploaded from the repository and denied it on the forum.\r\nHowever, with help from Weiphone, we checked all apps or tweaks he has ever uploaded and found at least 77 of\r\nthem will install the KeyRaider malware on victims’ iOS devices. While mischa07 appears to have created the\r\nmalware and developed different versions of it, bamu’s malicious apps are mostly created by repackaging existing\r\napps or tweaks such as iFile, iCleanPro and avfun with the malware.\r\nWhen KeyRaider uploads hijacked user password to its C2 server, it includes a parameter named “flag” or “from”\r\nin the HTTP URL to track the source of the infection. In mischa07’s code, the value of these parameters is always\r\nthe app’s name such as “letv.”  While in bamu’s samples, the value will always be “bamu”. From leaked data, we\r\nfound that over 67% of stolen accounts came from bamu.\r\nSince bamu is only a distributor, our latter behavior analysis will mainly focus on samples directly distributed by\r\nmischa07.\r\nStolen User Data\r\nKeyRaider collects three kinds of user data and uploads to its C2 server by HTTP; we identified two different C2\r\nservers.\r\ntop100.gotoip4[.]com\r\nwww.wushidou[.]cn\r\nDuring the course of our analysis, these domain names resolved to the IP address 113.10.174.167. In the “top100”\r\ndatabase in this server there are three tables: “aid”, “cert” and “other”. KeyRaider use four PHP scripts on the\r\nserver to access the database: aid.php, cert.php, other.php and data.php.\r\nBy analyzing the code and data dumped by WeipTech, we found that the “aid” table stored 225,941 stolen Apple\r\nID’s user name, password and device GUID combinations. The “cert” table stored  5,841 entries of infected\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 7 of 19\n\ndevices’ certificate and private key that are used by Apple’s push notification service (Figure 7). Finally, the\r\n“other” table stored over 3,000 entries of device’s GUID and app purchasing receipts from App Store server.\r\nFigure 7. One entry in the leaked cert table\r\nWe sorted the email addresses from the stolen Apple IDs and found more than half of them used email service\r\nprovided by Tencent. Below are top 10 most popular stolen account Email address domains. (Six of them are\r\nprimarily in use by Chinese users):\r\n@qq.com\r\n@163.com\r\n@icloud.com\r\n@gmail.com\r\n@126.com\r\n@hotmail.com\r\n@sina.com\r\n@vip.qq.com\r\n@me.com\r\n@139.com\r\nHowever, we also found some email addresses belong to other countries’ or regions’ domain names, including:\r\ntw: Taiwan\r\nfr: France\r\nru: Russia\r\njp: Japan\r\nuk: United Kingdom\r\nca: Canada\r\nde: Germany\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 8 of 19\n\nau: Australia\r\nus: United States\r\ncz: Czech Republic\r\nil: Israel\r\nit: Italy\r\nnl: Netherlands\r\nes: Spain\r\nvn: Vietnam\r\npl: Poland\r\nsg: Singapore\r\nkr: South Korea\r\nMalicious Behaviors\r\nThe KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the\r\nMobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system\r\nprocesses or in other iOS apps.\r\nMany previous iOS malware families also abused the MobileSubstrate. For example, the Unflod (aka SSLCreds or\r\nUnflod Baby Panda) that was found by Reddit users and was analyzed by SektionEins used it to intercept SSL\r\nencrypted traffic and steal Apple account passwords. The AppBuyer malware discovered last year used the same\r\ntechnique to steal passwords and to purchase apps from App Store. KeyRaider takes this technique another step\r\nfurther. It implemented the following malicious behaviors:\r\nStealing Apple account (user name and password) and device GUID\r\nStealing certificates and private keys used by Apple Push Notification Service\r\nPreventing the infected device being unlocked by passcode or by iCloud service\r\nStealing Apple Account Data\r\nMost KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process (Figure 8).\r\nitunesstored is the system daemon that is responsible for communicating with the App Store using the iTunes\r\nprotocol.\r\nFigure 8. KeyRaider hooks SSLRead and SSLWrite in itunesstored\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 9 of 19\n\nWhen the App Store client asks the user to input their Apple account for login, the information is sent to the App\r\nStore server via an SSL encrypted session. In the replacement function of SSLWrite, KeyRaider looks for this kind\r\nof login session, and searches for specific patterns to find the Apple account’s username, password and device’s\r\nGUID in the data being transferred (Figure 9). Next, in the replacement function for SSLRead, these credentials\r\nare encrypted using the AES algorithm with the static key “mischa07”, and then sent to the KeyRaider C2 server\r\n(Figure 10).\r\nFigure 9. Searching for Apple account information in SSL data\r\nFigure 10. Uploading stolen credentials to the C2 server\r\nIn addition to hooking SSLRead and SSLWrite, KeyRaider also invokes MGCopyAnswer(“UniqueDeviceID”) to\r\nread the device GUID.\r\nStealing Certificates and Private Keys\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 10 of 19\n\nIn some samples, KeyRaider also hooks the apsd process -- the daemon process responsible for Apple Push\r\nNotification Service on iOS systems. It hooks the SecItemCopyMatching function defined in the Security\r\nframework. This API is used to search keychain items that match given search query.\r\nAfter installing the hook, when the search query has a label value of “APSClientIdentity”, KeyRaider will execute\r\nthe original SecItemCopyMatching, then invoke SecIdentityCopyCertificate and SecIdentityCopyPrivateKey to\r\ncopy the certificate and private key from the original function’s return result (Figure 11). Together with GUID,\r\nthese credentials are then sent to the C2 server (Figure 12). In the iOS keychain, the key that labeled with\r\nAPSClientIdentity is used for the push notification. Through these credentials, an attacker can create a fake push\r\nnotification to the system.\r\nFigure 11. Copy push service's certificate and private key\r\nFigure 12. Upload certificate and key\r\nLock Device\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 11 of 19\n\nWhen KeyRaider hooks the SecItemCopyMatching, except for intercept notification credentials, it will also\r\ncompare current query’s label with a very special string “com.apple.lockdown.identity.activation”. If the label is\r\nthis string, KeyRaider will set this query’s result to zero. (Figure 13)\r\nFigure 13. Set lockdown activation result always to zero\r\nAt the time of this publication, there isn’t any public documentation of the com.apple.lockdown.identity.activation\r\nquery on the Internet. We believe that this query is used to unlock devices. By setting this query’s result to zero,\r\nKeyRaider may prevent users from unlocking their own devices either by locally inputting correct unlock\r\npasscode or by remotely unlocking the devices via iCloud.\r\nNote that in all samples we’ve found thus far, this piece of code is standalone and not invoked by any other code;\r\nit has only been implemented there and exported as a function. However, we have evidence that real attacks using\r\nthis functionality have occurred.\r\nFree Apps For Everyone!\r\nSome samples of KeyRaider implemented code to download purchase receipts and Apple accounts from the C2\r\nserver. However, only in the iappstore and iappinbuy jailbreak tweaks were these actually used.\r\nAccording to an author’s description, iappstore can be used to download any app from App Store totally free. Let’s\r\ntake a look at how they make that possible.\r\nThe app hooks the SSLWrite API twice. The first hook is used for password stealing just like others. The second\r\nhook tries to determine whether current HTTP request is equal to \"POST\r\n/WebObjects/MZBuy.woa/wa/buyProduct\". This is used to determine if the session is making a purchase using the\r\niTunes protocol (Figure 14).\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 12 of 19\n\nFigure 14. Hooking app purchase session\r\nIf the request is making the purchase, the next time SSLWrite is invoked, the hooking code will try to match\r\nkeywords such as “salableAdamId”, “appExtVrsId”, “vid”, “price”, “guid”, “installedSoftwareRating” and\r\n“pricingParameters” in the data being sent to get payment information about current app.  If the app is not free, a\r\nfunction named fire() is then invoked.\r\nThe fire function then invokes the readAid() function. readAid() reads a local file located at\r\n/var/mobile/Documents/iappstore_aid.log. This file contains an Apple account’s username, password, device\r\nGUID, related iTunes session’s token, cookie, phone number and carrier, operating system information and iTunes\r\nCDN server number. The function then parses this data and creates an Account object.\r\nIf the file doesn’t exist, it will invoke readAidUrl() function which will download new account information from\r\nKeyRaider’s C2 server and create an Account object (Figure 15). Figure 16 shows an account downloaded from\r\nthe server.\r\nFigure 15. Downloads Apple account from C2 server\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 13 of 19\n\nFigure 16. Stolen Apple account was downloaded from C2 server\r\nAfter creating the Account object, fire() will generate a plist format string that contains the account information,\r\nand invoke login(), then invoke sendBuy().\r\nThe login() function will construct an HTTP connection to the follwing URL with the plist string and a AppStore\r\nclient like user agent value.\r\np*-buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/authenticate\r\nThis causes the current iTunes session to be logged in with the remote Apple account. (Figure 17)\r\nFigure 17. Emulating login protocol\r\nAfter the login request, login() will parse the returned result for the cookie, token and other information and will\r\nsave this data together with an account password to the local iappstore_aid.log file, to be used for the next\r\npurchase. If the login failed due to a password error, it will invoke readAidUrl() again to get a different Apple\r\naccount from the C2 server.\r\nThe sendBuy() function works similarly to the login() function but requests another URL for app purchasing\r\nverification:\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 14 of 19\n\np*-buy.itunes.apple.com/WebObjects/MZBuy.woa/wa/buyProduct\r\nThrough this procedure, the iappstore tweak can successfully purchase any app using another person’s stolen\r\nApple account.\r\nNote that, besides of these operations, in two standalone functions verifySF() and verifySF2() implementation in\r\nthis sample, KeyRaider also tries to get or use information about Apple account’s password recovery questions\r\nand answers. This functionality hasn’t been finished in the samples we analyzed.\r\nThe functionality of iappinpay is similar to iappstore. The only difference is that the purchase interface has\r\nchanged as well as some of the parameters used (Figure 18). Since the C2 server database also stored some\r\nprevious In-App-Purchase receipts, it seems that author also planned to implement functionality to reuse these\r\nreceipts, possibly to send them to Apple to prove that that they have previously purchased an item.\r\nFigure 18. In-App-Purchase verification request\r\nPhones Held for Ransom\r\nIn addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices\r\nfor ransom.\r\nSome previous iPhone ransomware attacks are based on remotely controlling the iOS device through the iCloud\r\nservice.  Some of these attacks can be avoided by resetting the account password to regain control of iCloud.\r\nKeyRaider is different. It can locally disable any kind of unlocking operations, whether the correct passcode or\r\npassword has been entered. Also, it can send a notification message demanding a ransom directly using the stolen\r\ncertificate and private key, without going through Apple’s push server. Because of this functionality, some of\r\npreviously used “rescue” methods are no longer effective.\r\nWe know that KeyRaider has been used to hold a phone for ransom, as one victim reported that his phone was\r\nlocked while prompted message in screen is “Please contact by QQ or phone to unlock it.” (Figure 19)\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 15 of 19\n\nFigure 19. Ransom message on locked iPhone\r\nOther Potential Risks\r\nAt Palo Alto Networks Ignite 2015 conference back in April we introduced the underground economy and supply\r\nchain involved with iOS hacking. KeyRaider plays a very important role in this chain.\r\nWith a victim’s Apple account and password, attackers can launch all kinds of additional attacks. For example,\r\nthey can control the device through iCloud and compromise the victim’s private data contained in their iMessage\r\nlogs, contacts, photos, emails, documents and location. In 2014, for example, many celebrities’ iCloud accounts\r\nwere hacked and photos leaked, which raised awareness of the threat from stolen Apple account credentials.\r\nAdditionally, there are many other ways to profit from these stolen accounts.\r\nApp Promotion\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 16 of 19\n\nSome developers will pay money for their apps to occupy a better position in App Store rankings, and installation\r\ncount is one of the most important factors in creating these rankings. Using the stolen data, attackers can easily\r\ninstall “promoted” iOS apps from App Store to increase their installation count. In fact, many of KeyRaider’s\r\nvictims reported that their Apple accounts had an abnormal app downloading history, which led to the discovery of\r\nthis attack.\r\nCash Back\r\nAttackers can purchase non-free iOS apps from App Store using stolen accounts. The fee will be paid by victims,\r\nbut money will go to Apple and then partly to developers. Then developers share this income with attackers, as\r\nwas the case with the AppBuyer malware.\r\nSpam\r\nValid Apple account usernames can also be sold standalone for use by spammers. Previous SMS based spam may\r\ncost money to send and is easily to be blocked by carriers. However, iMessage-based spam only needs Internet\r\naccess and the recipient’s Apple ID. This kind of spam has become very popular in the last two years.\r\nRansom\r\nHolding the victims’ Apple accounts, their devices or the information contained in their iCloud storage for ransom\r\ncan also generate revenue for the attacker.\r\nDevice Unlocking\r\nThese stolen accounts can also be sold in another market. Apple adopted a security mechanism to prevent lost or\r\nstolen devices being wiped and re-sold that requires you to verify the Apple ID before wiping. Hence there is now\r\na market for individuals looking for certain devices’ Apple account information.\r\nOther Future Attacks\r\nCombined with personal data in iCloud, stolen accounts can also be used in social engineering, fraud and targeted\r\nattacks.\r\nProtection and Prevention\r\nIt’s important to remember that KeyRaider only impacts jailbroken iOS devices. Users of non-jailbroken iPhones\r\nor iPads will not be affected by this attack.\r\nWeipTech has provided a query service in their website http://www.weiptech.org/ for potential victims to query\r\nwhether their Apple accounts was stolen. Palo Alto Networks provided the stolen account information to Apple in\r\nAugust 26.. Worth noting is that WeipTech was only able to recover around half of stolen accounts before the\r\nattacker fixed the vulnerability. Users who have ever installed apps or tweaks from untrusted Cydia sources could\r\nalso be affected.\r\nPalo Alto Networks has released DNS signatures to cover KeyRaider’s C2 traffic to prevent the malware from\r\nrelaying credentials in protected networks.\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 17 of 19\n\nUsers can use the following method to determine by themselves whether their iOS devices was infected:\r\n1. Install openssh server through Cydia\r\n2. Connect to the device through SSH\r\n3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this\r\ndirectory:\r\nwushidou\r\ngotoip4\r\nbamu\r\ngetHanzi\r\nIf any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same\r\nfilename, then reboot the device.\r\nWe also suggest all affected users change their Apple account password after removing the malware, and enable\r\ntwo-factor verifications for Apple IDs.\r\nOur primary suggestion for those who want to prevent KeyRaider and similar malware is to never jailbreak your\r\niPhone or iPad if you can avoid it. At this point in time, there aren’t any Cydia repositories that perform strict\r\nsecurity checks on apps or tweaks uploaded to them. Use all Cydia repositories at your own risk.\r\nSamples Information\r\nSHA-1 values of some KeyRaider samples are listed here:\r\n9ae5549fdd90142985c3ae7a7e983d4fcb2b797f  CertPlugin.dylib\r\nbb56acf8b48900f62eb4e4380dcf7f5acfbdf80d  MPPlugin.dylib\r\n5c7c83ab04858890d74d96cd1f353e24dec3ba66  iappinbuy.dylib\r\n717373f57ff4398316cce593af11bd45c55c9b91  iappstore.dylib\r\n8886d72b087017b0cdca2f18b0005b6cb302e83d  9catbbs.GamePlugin_6.1-9.deb\r\n4a154eabd5a5bd6ad0203eea6ed68b31e25811d7  9catbbs.MPPlugin_1.3.deb\r\ne0576cd9831f1c6495408471fcacb1b54597ac24  9catbbs.iappinbuy_1.0.deb\r\naf5d7ffe0d1561f77e979c189f22e11a33c7a407  9catbbs.iappstore_4.0.deb\r\na05b9af5f4c40129575cce321cd4b0435f89fba8  9catbbs.ibackground_3.2.deb\r\n1cba9fe852b05c4843922c123c06117191958e1d  repo.sunbelife.batterylife_1.4.1.deb\r\nAcknowledgements\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 18 of 19\n\nSpecial thanks to i_82 from Yangzhou University and WeipTech for sharing data, report and all kinds of useful\r\ninformation with us.\r\nThanks CDSQ from WeipTech and thanks Weiphone for providing potential samples to us. Thanks Xsser and\r\nFenggou from Wooyun in information sharing.\r\nThanks Sereyvathana Ty, Zhaoyan Xu and Rongbo Shao from Palo Alto Networks for their effort on detecting the\r\nthreat. Thanks Ryan Olson from Palo Alto Networks for reviewing and revising this report.\r\nSource: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utop\r\nia/\r\nhttp://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" ], "report_names": [ "keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434071, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/352d9991f418d2278b8f364065349004fc70b2ba.pdf", "text": "https://archive.orkl.eu/352d9991f418d2278b8f364065349004fc70b2ba.txt", "img": "https://archive.orkl.eu/352d9991f418d2278b8f364065349004fc70b2ba.jpg" } }