Got a jailbroken iPhone with the Cydia app store installed? Better watch out. Approximately 225,000 Apple accounts have been stolen by malware hidden in untrusted Cydia repositories. The malware and the account information were discovered by researchers from Palo Alto Networks, with help from WeipTech, a group of technically-minded enthusiasts. Palo Alto Networks believes this is the largest theft of Apple accounts ever caused by malware.
The researchers call the malware family KeyRaider, and they've uncovered 92 variants of the bad apps. As far as the team can tell, KeyRaider only spreads through Cydia repositories from Weiphone, one of the largest Apple fan websites in China, though the team doesn't discount the possibility that KeyRaider software could be present in other untrusted repositories, as well. Unlike other Cydia sources, Weiphone allows registered users to create private repositories where they can upload their own apps and "tweaks."
The harvested account information is bundled into tweaks that allow other users to make illicit App Store and in-app purchases. The research team reports that these tweaks have been downloaded over 20,000 times, suggesting that many are abusing the stolen credentials. Most victims report unauthorized App Store purchases on their accounts, while others have had their phones held for ransom, as KeyRaider can also disable both local and remote unlocking functionality on iOS devices. Chinese users aren't the only ones affected, either—the account cache also contains login information belonging to users in 17 other countries.
Weiptech has a website where users can check if their Apple accounts were stolen, and Palo Alto Networks disclosed the account information to Apple on August 26. Users can also manually check their jailbroken devices using a process described at the bottom of this page.