How to find and remove ‘KeyRaider’ malware on your jailbroken iOS device

BY Killian Bell

Published 4 Sep 2015


Researchers have discovered new malware for jailbroken iOS devices that intercepts iTunes traffic to steal your Apple account information. It’s called KeyRaider and it has stolen more than 250,000 accounts so far — and here’s how you can find and eliminate it.

Discovered by Palo Alto Networks, KeyRaider has mostly affected users in China, but it has made its way to 18 countries in total, making it a real concern for jailbreakers worldwide. You can avoid it by only installing trusted packages from reliable sources.

But if you haven’t always done that and you’re worried your device might be at risk, thankfully, Redditor Flu17 has a quick and easy method of finding and eliminating the malicious app. Here are the steps you need to take:

  1. Search Cydia for Filza File Manager and install
  2. Open the app and navigate to /Library/MobileSubstrate/DynamicLibraries/
  3. Select the first file ending in .dylib
  4. Inside this file, you’ll see lots of hex code. Use the search bar at the top to look for the following keywords:
    • wushidou
    • gotoip4
    • bamu
    • getHanzi
  5. If you find any of these things, your device is infected. To clean it, you must delete the file along with its corresponding .plist with the same name

“You must perform these steps for each and every .dylib file in the [/DynamicLibraries/] directory,” Flu17 warns. “Once you have cleared out the necessary files, reboot your device. Do not respring. Turn it off fully, then turn it on again.”

Once you have removed all of these files and restarted your iOS device, it will be free from the KeyRaider malware. Of course, your account may have already been compromised, in which case all you can do is change its password and be on the lookout for any unusual purchases.

We should note, however, that the risk of picking up KeyRaider outside of China is slim — especially if you live in the U.S., which is thought to be unaffected by it so far. But it’s still worth checking to be sure you device isn’t infected by it.

If you find KeyRaider on your device, you can also restore it with a fresh copy of iOS to remove the malicious files. However, this will remove your jailbreak and wipe all of your data, so you’ll have to repeat the jailbreaking process again once the restore is complete, and be sure to backup first.