Stefan Esser, a hacker known as i0n1c, details the malware that was discovered by reddit users.
On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.
Unfortunately, the origin of the malware is not known. It's believed that it may end on up jailbroken phones when a user installs pirated apps from unofficial Chinese repositories. Of course, we suggest that you never do this.
The malware is located at /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on your iDevice. The threat is digitally signed with an iPhone developer certificate registered to a person called WANG XIN. It's unclear if this is a real person, a fake persona, or a victim of certificate theft.
Here's how it works:
"The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 22.214.171.124 and 126.96.36.199 on port 7878 to send out the stolen data in plaintext."
i0n1c notes that Dr. Web is the first one to identify Unflod.dylib as malicious.
Deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack; however, since the origin of the malware cannot be located, we don't know if any other malware was bundled with it. Thus, to be sure any threat is completely removed, you will need to do a full restore. Unfortunately, this means losing your jailbreak.
You can use iFile to easily check for the existence of Unflod.dylib; however, a it's like that a tweak or an update to Cydia will be released to address the malware shortly. Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.