Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0288: KeyRaider

KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. [1]

MobileS0288MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

KeyRaider matters because it represents mobile malware focused on jailbroken iOS devices, Apple account credential theft, data theft, and ransomware functionality. For leaders, the key issue is not just malware cleanup; it is whether personally owned or unmanaged mobile devices can become a weak point for identity compromise, business app access, and recovery readiness.

Executive priority

Treat this as a mobile identity and resilience risk. Executives should ask whether jailbroken devices are allowed to access business resources, whether Apple account or mobile identity compromise would be visible to the SOC, and whether mobile ransomware scenarios are covered by backup, device replacement, and incident response procedures. This object also supports prioritizing evidence for mobile compliance controls, especially jailbreak posture, device inventory, and account protection.

Technical view

ATT&CK provides no official detection text, platforms, or tactics for this malware object, but the description ties KeyRaider to jailbroken iOS devices and credential/data theft with ransomware functionality. Relationship context shows use of System Information Discovery and Adversary-in-the-Middle, so SOC and IR teams should validate visibility into mobile device posture, device/system metadata collection, suspicious VPN or traffic-interception behavior, and Apple account authentication anomalies. Detection should be framed as behavior and exposure validation rather than a signature-only exercise.

Likely telemetry

  • Mobile device inventory and jailbreak/compliance posture records
  • Mobile application, profile, VPN, and configuration inventory where available
  • Mobile EDR or MDM events for suspicious app behavior and device metadata access
  • Network telemetry showing unexpected VPN/proxy/interception paths from mobile devices
  • Apple account authentication, password reset, and unusual access events where available

Detection direction

  • Confirm whether the organization can identify jailbroken iOS devices before they access business systems.
  • Validate monitoring for new or suspicious VPN/profile configurations because related ATT&CK context includes Adversary-in-the-Middle behavior.
  • Look for unusual mobile account activity in combination with risky device posture rather than relying on any single indicator.
  • Tune carefully for legitimate VPN, privacy, and management tools to avoid excessive false positives.
  • Because ATT&CK provides no official detection guidance for this object, document which detections are based on local telemetry, MDM policy, and identity logs.

Mitigation priorities

  • Prioritize blocking or restricting jailbroken devices from accessing enterprise resources.
  • Require mobile device compliance checks for access to sensitive business applications and identity providers.
  • Strengthen Apple/mobile account protections, including rapid credential reset and recovery workflows when compromise is suspected.
  • Maintain tested mobile recovery procedures, including backup, device replacement, and wipe/re-enrollment processes for ransomware scenarios.
  • Review approved VPN/profile usage and remove unmanaged or unnecessary mobile interception paths.
Analyst notes and limits

The most useful defensive framing is exposure-based: determine whether jailbroken iOS devices exist in the business environment, whether they can reach enterprise data, and whether identity events from those devices are visible. The related techniques add practical hunting direction around system information discovery and adversary-in-the-middle behavior, but local mobile telemetry will determine feasibility.

The supplied ATT&CK object has no official detection text, no listed tactics, and no specified platform field, although the official description explicitly references jailbroken iOS devices. No active exploitation, attribution, or guaranteed detection coverage is stated or inferred.

Official MITRE ATT&CK definition

KeyRaider

KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1426 System Information Discovery

Most KeyRaider samples search to find the Apple account's username, password and device's GUID in data being transferred.CitationXiao-KeyRaider
Mobile T1638 Adversary-in-the-Middle

Most KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.CitationSkycure-Profiles
Relationship explorer

All related ATT&CK context

uses · Technique T1426: System Information Discovery Mobile uses · Technique T1638: Adversary-in-the-Middle Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8871cdb7fb5c440c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8871cdb7fb5c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Xiao-KeyRaider

    Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.

    Open source URL
  2. [2]
    KeyRaider

    (Citation: Xiao-KeyRaider)

  3. [3]
    mitre-attack S0288
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use