Warning: Malware discovered on Jailbroken iOS devices which steals Apple ID and passwords [Updated]

BY Gautam Prabhu

Published 18 Apr 2014

iPhone Malware

Security researcher Stefan Esser a.k.a i0n1c has reported a serious security issue for jailbreakers. A malware called “Unflod Baby Panda” has been discovered on jaibroken iOS devices that is sending Apple ID and password to servers based in China.

The issue was first discovered by jailbreakers on reddit.  Folks at security firm SektionEins who have done a quick analysis of the malware report:

This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

It is not clear how the malware ended up on a jailbroken device, but it is suspected that it may have been installed by Chinese pirate repositories. SektionEins reports that their involvement hasn’t been verified so far, but the malware is signed with an iPhone developer certificate, which is registered to a person called WANG WIN (which could be faked or the person’s identity stolen).

To find out if you’re infected by the malware, navigate to the following folder using iFile:
/Library/MobileSubstrate/DynamicLibraries/ and check if there is a Unflod.dylib library in that location.

Alternatively, Esser is also advising that users could run a grep command to check if they’re infected:

If you find the dynamic library on your device, then you should delete it immediately and change your Apple ID password, and enable two-step verification.

The malware again highlights why jailbreakers should avoid installing repositories from untrusted sources that host pirated software. If you’ve jailbroken your iOS device then I would strongly recommend you to check if you’re infected.

Update:

Please check this reddit thread for more detailed instructions to check for Unflod.dylib malware, and help saurik, the founder of Cydia, find out more details about it to ensure that it does not affect other users.