‘AceDeceiver’ iOS Trojan Bypasses Apple’s DRM To Inject Malware, Here’s How To Avoid It

A new iOS trojan called AceDeceiver has been spotted in China that brings the ability to infect non-jailbroken iPhones and iPads through PCs without the need to exploit an enterprise certificate. Discovered by Palo Alto Networks and currently only affecting users in China. AceDeceiver to take malware action, uses a technique known as a “FairPlay man-in-the-Middle,” and is spread through pirated App Store apps.

About FairPlay! Apple’s digital rights managements (DRM) software, and is waht ensures that applications installed on iOS devices are of a legitimate origin rather than being freebooter. AceDeceiver actually infects an iOS device by taking full advantage of flaws in Apple’s DRM system and pirated iOS apps spread in the past by using fake iTunes software and spoofed authorization codes to get the apps on devices running iOS platform. The same mechanism is now being used in affectively spread the AceDeceiver malware.



Apple allows users purchase and download iOS apps from their App Store through the iTunes client running in their computer. They then can use the computers to install the apps onto their iOS devices. iOS devices will request an authorization code for each app installed to prove the app was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code.

They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge.

Unfortunately, this very protection is one that is currently allowing some Chinese iOS users to become infected with the AceDeceiver trojan. Why that? Because of the way FairPlay works, such as the use of authentic code that is required each time an iOS app is installed. This code, once stolen from a legetimate iOS App Store app, can later be used to install infected apps onto an iPhone or iPad without the user’s login credentials.

From July 2015 to February 2016, three AceDeceiver iOS apps were uploaded to the official Apple’s App Store, posing as wallpaper apps and providing attackers with a fake authorization code to use in the AceDeceiver attacks. A Windows-based iPhone management app, called “Aisi Helper,” has been used as the attack vector for AceDeceiver, with users who download the tool then inadvertently giving the trojen easy access to their devices through the installation of pirated apps. the management app claimed to provide services like system backup and cleaning was installed by users in China. Finally, it went to such hype on to install malicious iOS apps on connected devices. The apps were specifically designed to be show as third-party App Stores with free content to bait users into using them and submitting their Apple IDs and passwords. Then the information was uploaded to the AceDeceiver server.

Nevertheless, all of this could be avoided if people didn’t steal apps, but that may be a conversation for a different time. However, Apple removed the original AceDeceiver iOS apps from its iTunes App Store, which were once used by hackers to obtain the authroritive codes, but attacks remain active because attackers still have the previously stolen codes to install fake apps on iOS devices. Only affects users in China, currently, but Palo Alto Networks believes the trojan or similar malware could even spread to additional regions in the future, which is especially insidious as it has not been patched, and installs apps automatically from an infected computer, and does not require an enterprise certificate.

If you’re one of those who already downloaded this software and want to remove it immediately and at the same time change their Apple ID passwords, can read this now. Simply, we suggest resetting your Apple ID password and turning 2-factor authentication on ASAP.

You can find the instructions on how to do so here: How To Enable Two-Step Verification For Apple ID / iTunes / iCloud.

iOS client injected by the Aisi Helper Windows app showing screens for installation of pirated apps and entry of Apple ID credentials

(Source: Palo Alto Networks)

Beware! You may also like to check out: