Skip to main content

New AceDeceiver iOS malware could fuel a new generation of iPhone and iPad exploits

ios 9 3 1 update universal links bug iphone connected to computer 01
Apple Stack Exchange
Listen up! A new family of iOS malware has been discovered by Palo Alto Networks, and it can affect all iPhones and iPads. However, this isn’t your normal run-of-the-mill iOS malware.

Dubbed AceDeceiver, this malware is able to install itself without an enterprise certificate, unlike previous iOS malware that abused enterprise certificates in order to infect devices. This is also the first iOS malware that exploits design flaws in Apple’s DRM protection mechanism, FairPlay, which means that it can infect devices that aren’t jailbroken.

Recommended Videos

How AceDeceiver works

The malware initiates itself from a Windows PC with iTunes running on it. Apple allows you to purchase apps from the iTunes client that later get installed on your iOS device. During that process, your device requests an authorization code to prove these apps were actually purchased. This is the FairPlay DRM protection mechanism AceDeceiver exploits.

Please enable Javascript to view this content

The technique is known as FairPlay Man-In-The-Middle (MITM), which consists of the attacker purchasing an app from the App Store and intercepting the authorization code.

The attacker uses specifically developed software on the PC side that simulates the iTunes client to trick your iOS device into believing an app was purchased, thus making it easy to install malicious apps from a third-party app store without you even knowing it.

The graphic below gives you a visual of how it works.

AceDeceiver_Graphic_01
Image used with permission by copyright holder

The FairPlay MITM technique has been in use since 2013 to spread pirated iOS apps, but this is the first time it’s being used to spread malware.

Unfortunately, the report didn’t specify exactly what the malware does once it takes up residence on your device. Malware generally consists of malicious code that’s used to either gain access to a device to steal information or to render the device useless.

The Windows client used to carry out the attack is called Aisi Helper. Created in 2015, Aisi Helper is marketed as a software that provides system re-installation, jailbreaking, system backup, device management, and system cleaning for iOS devices. However, it can also install malicious apps on any iOS device connected to a computer that the Aisi Helper software is installed on. These malicious apps can connect to a third-party app store to download iOS apps or games, and they encourage users to enter their Apple IDs and passwords for more features. And of course, these IDs and passwords get uploaded to AceDeceiver’s server.

It was also discovered that AceDeceiver was able to spread without a PC. Palo Alto revealed three different iOS apps in the AceDeceiver family that were uploaded to the official App Store between July 2015 and February 2016: 壁纸助手 (which roughly translates to “Wallpaper Assistant”), AS Wallpaper, and i4picture. What’s scary about this is that all three apps bypassed Apple’s code review at least seven times because each app behaved differently based on the physical geographic region. These apps only displayed malicious behaviors if the devices were in China.

Apple removed all three apps from the App Store after Palo Alto reported them. However, Palo Alto says the attack is still viable because the FairPlay MITM attack only needs these apps to be available in the App Store once. If an attacker obtains a copy of the authorization from Apple, these apps could be spread to other devices without them physically being in the App Store.

At the moment, AceDeceiver only affects iPhone and iPad users in China, but based on the fact that it can affect non-jailbroken iOS devices, Palo Alto thinks we could see it spread to more regions soon. This could be from the original attacker or a completely new attack based on a similar technique.

How to protect yourself

Chances are very slim that you currently have the AceDeceiver malware on your iPhone or iPad. As of right now, Palo Alto estimates about 15 million people used the Aisi Helper software, and they are all in China. That sounds like a high number, but when you consider all the iPhones and iPads worldwide, it’s a small percentage. However, you still need to keep some things in mind since it’s likely that similar attacks will take place in different regions.

The first obvious thing you need to do is avoid the Aisi Helper software. However, as Palo Alto warns, versions of the software under a different name could be out in the wild. We recommend that you avoid any third-party software for iOS devices. If it wasn’t developed by Apple, stay away from it.

If you did fall victim to installing malicious PC software, the app(s) that it installs on your iPhone or iPad will at least be visible with an icon. You should immediately uninstall any apps that you know you didn’t install yourself.

You also want to make sure to avoid any third-party app stores, and more importantly, never input your Apple ID and password in any third-party app that promises to give you the same apps and games you can get from the official App Store.

It’s also important that you always download and install the latest version of iOS. Now that Apple has all the necessary information regarding AceDeceiver, it will likely issue a patch in a future update. However, older versions of the iOS software will still be vulnerable.

This is a very complicated exploit so we encourage you to check out the full report from Palo Alto Networks on AceDeceiver for more information.

Robert Nazarian
Former Digital Trends Contributor
Robert Nazarian became a technology enthusiast when his parents bought him a Radio Shack TRS-80 Color. Now his biggest…
Screenshot-reading malware cracks iPhone security for the first time
A person holding an iPhone in their hand.

In the realm of smartphones, Apple’s ecosystem is deemed to be the safer one. Independent analysis by security experts has also proved that point repeatedly over the years. But Apple’s guardrails are not impenetrable. On the contrary, it seems bad actors have managed yet another worrying breakthrough.

As per an analysis by Kaspersky, malware with Optical Character Recognition (OCR) capabilities has been spotted on the App Store for the first time. Instead of stealing files stored on a phone, the malware scanned screenshots stored locally, analyzed the text content, and relayed the necessary information to servers.

Read more
Samsung aped iPhone filters, but served it better on the Galaxy S25
Using filters on the Samsung Galaxy S25 Ultra.

With the arrival of the Galaxy S25 series, Samsung introduced a bevy of camera-centric changes. Take for example the Galaxy S25 Ultra, which upgrades to a 50-megapixel ultrawide sensor, a new Spatio Temporal filter for blur reduction, 8K capture across all lenses, default 10-bit HDR recording, and more. But the company silently gave a massive boost to filters.

So far, users have only been able to pick a filter and capture media with the effect applied on top. There was no scope for fine-tuning the filter characteristics in real time. That limitation has finally gone to the grave with the Galaxy S25 series.

Read more
There’s a clear winner in our Galaxy S25 Ultra vs iPhone 16 Pro Max camera test
The Samsung Galaxy S25 Ultra and Apple iPhone 16 Pro Max's cameras.

Would it be right if we didn't put the latest Samsung Galaxy S series against the latest iPhone in a camera test? We don’t think so, which is why we’ve been out taking photos with the Samsung Galaxy S25 Ultra and the Apple iPhone 16 Pro Max to see which one has the best camera.
Camera specification
Samsung Galaxy S25 Ultra (left) and Apple iPhone 16 Pro Max Andy Boxall / Digital Trends

The Galaxy S25 Ultra’s camera has the same 200-megapixel main camera, 50MP telephoto for 5x optical zoom, and 10MP telephoto for 3x optical zoom as the Galaxy S24 Ultra. What’s new, outside of the processor and software driving it, is a new 50MP wide-angle camera. Samsung has collaborated with Qualcomm on a special Snapdragon 8 Elite for Galaxy processor and uses plenty of AI in the camera for improved results.

Read more