Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Posted by · 44919 views · Translate
Newly discovered malware dubbed 'Unflod Baby Panda' infects jailbroken iDevices in an attempt to steal your Apple ID and password.

Stefan Esser, a hacker known as i0n1c, details the malware that was discovered by reddit users.

On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

Unfortunately, the origin of the malware is not known. It's believed that it may end on up jailbroken phones when a user installs pirated apps from unofficial Chinese repositories. Of course, we suggest that you never do this.

The malware is located at /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on your iDevice. The threat is digitally signed with an iPhone developer certificate registered to a person called WANG XIN. It's unclear if this is a real person, a fake persona, or a victim of certificate theft.

Here's how it works:

"The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext."

i0n1c notes that Dr. Web is the first one to identify Unflod.dylib as malicious.

Deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack; however, since the origin of the malware cannot be located, we don't know if any other malware was bundled with it. Thus, to be sure any threat is completely removed, you will need to do a full restore. Unfortunately, this means losing your jailbreak.

You can use iFile to easily check for the existence of Unflod.dylib; however, a it's like that a tweak or an update to Cydia will be released to address the malware shortly. Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.

Read More


Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords
Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords
Treated like a Criminal - April 19, 2014 at 1:33pm
This is coming from Sumsung. The writting is on the wall.
mr BLa6k - April 19, 2014 at 11:57am
Is the repo Very Fast checked my devices and they are clean and always Rooted ( jail broken ). If the repo is kuaiyong you do not need a jailbreak but it helps if you know how to read. As far as my apple id I do not have a credit card or banking info on it, it is not a good idea to have you info with any retailer. If you are intelligent enough to Rooting your apple device and you know where you got the virus and how to remove the file then you should be fine. I would not update to 7.1, Cydia will no doubt release a patch soon. Blocking the ip is also a good idea or the port till the whole issued is explored but ifile is great and easy to use and should be enough for now.
Mike - April 19, 2014 at 1:15am
Wouldn't it be easier to just edit your host file to block your phone from communicating with those IPs? That's what I would do!
Archie - April 18, 2014 at 10:44pm
So this malware only infects iOS devices that have installed cracked versions of apps from a Chinese host. Well, stealing apps has its drawbacks. If you steal you deserve the malware problem.
dtron - April 18, 2014 at 6:48pm
It's not the first time that a malware is targeting iOS. Some years ago, we had iKee.B and iSAM iSAM was created by some researchers, to demonstrate that is relative easy to bypass any security control and great a malware for iOS. The research paper was entitled: iSAM: An iPhone Stealth Airborne Malware: http://link.springer.com/chapter/10.1007%2F978-3-642-21424-0_2 or just google the title for the pdf!
3 More Comments
Recent