Palo Alto Networks has found and analyzed a new malware for iOS called “AppBuyer” that affects jailbroken iPhone, iPad and iPod touch devices. The malware is designed to steal a user’s Apple ID username and password and upload the information to the attacker’s server, at which point he can download apps from the App Store from that account. 

The malware, classified as Trojan, works in three steps. First, it downloads an executable file to generate a unique UUID, then it downloads a Cydia Substrate tweak to intercept all HTTP/HTTPS sessions to steal the Apple ID credentials, and last it downloads a fake gzip utility that will login into the App Store.

It remains unclear how AppBuyer has been installed onto jailbroken iOS devices, but a handful of possibilities have been outlined. These include installation through a malicious Cydia Substrate jailbreak tweak, such as “Trojan.iOS.AdThief,” hosted in third-party repositories, through other PC malware or through a PC jailbreaking utility.

AppBuyer was originally brought to light by the WeiPhone Technical Group in May, after they remotely helped a user discover why some apps had periodically been installed onto his jailbroken iPhone. What the group discovered is two malicious files that would download, execute and delete other executable files from the web.

It is not the first time that jailbroken devices have been victimized by malware. Earlier this year, Palo Alto Networks also discovered AdThief malware that was attempting to steal ad impressions.

While the team recommends that you refrain from jailbreaking your iPhone, iPad or iPod touch to remain fully secure, it also advises using a tool like iFile or iFunBox to check for any of these files or directories to see if your device is infected by the malware:

• /System/Library/LaunchDaemons/com.archive.plist
• /bin/updatesrv
• /tmp/updatesrv.log
• /etc/uuid
• /Library/MobileSubstrate/DynamicLibraries/aid.dylib
• /usr/bin/gzip

As the source of these malicious files on jailbroken devices has not been determined, simply removing the above might not be enough to ensure that you are secure. If you do come across any of the files, it would probably be wise to restore your device back to factory default settings through iTunes.

Palo Alto Networks has also released URL signatures to stop the download of the malicious files mentioned above, and will soon be releasing DNS and IPS signatures as well.