The sub-techniques beta is now live! Read the release blog post for more info.


KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. [1]

ID: S0288
Platforms: iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 11 December 2018

Techniques Used

Domain ID Name Use
Mobile T1446 Device Lockout

KeyRaider has built-in functionality to lock victims out of devices and hold them for ransom.[1]

Mobile T1410 Network Traffic Capture or Redirection

Most KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.[1]

Mobile T1426 System Information Discovery

Most KeyRaider samples search to find the Apple account's username, password and device's GUID in data being transferred.[1]