Nearly a quarter of a million owners of Apple’s iPhone may be at risk of having their iTunes accounts hijacked or their devices held hostage by intruders.
That’s because hackers have distributed malware that allows users to steal log-in credentials and purchase apps and media from both the App and iTunes stores, according to a report published Sunday by Palo Alto Networks, a digital security firm.
The attack is thought to be the largest known theft of data from Apple accounts caused by malware, the firm said.
The malware, known as KeyRaider, affects iPhones whose users have disabled, or jailbroke, the operating system on their devices to allow installation of third-party apps. As of Sunday, thieves had used KeyRaider to steal nearly 226,000 valid Apple accounts, along with certificates, private keys and other security features, the firm said.
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Claud Xiao, a security researcher at Palo Alto Networks, wrote in a blog post.
No much ppl realized how amazing the unlocking hook in KeyRaider is, or how crazy its goal is.
— Claud Xiao (@claud_xiao) August 31, 2015
As of Sunday, about 20,000 people had downloaded the malware, suggesting at least that many people are misapplying credentials stolen from iTunes accounts. The malware, which also allows intruders to hold phones hostage in return for ransom, has appeared in 18 countries, including the U.S., China and U.K.
Palo Alto Networks traced the malware after members of Weiphone, a community of iPhone fans based in China, discovered unauthorized charges in their iTunes accounts.
The malware offers a reminder that jailbreaking carries risks. “Most security experts discourage the practice unless it’s done by highly experienced people who know exactly what code they’re using to circumvent Apple engineers’ safeguards and, once that’s done, what alternative apps they’re installing,” Dan Goodin wrote Monday at Ars Technica.