December 28, 2024
Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Posted April 18, 2014 at 4:20pm by iClarified
Newly discovered malware dubbed 'Unflod Baby Panda' infects jailbroken iDevices in an attempt to steal your Apple ID and password.

Stefan Esser, a hacker known as i0n1c, details the malware that was discovered by reddit users.

On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.


Unfortunately, the origin of the malware is not known. It's believed that it may end on up jailbroken phones when a user installs pirated apps from unofficial Chinese repositories. Of course, we suggest that you never do this.

The malware is located at /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on your iDevice. The threat is digitally signed with an iPhone developer certificate registered to a person called WANG XIN. It's unclear if this is a real person, a fake persona, or a victim of certificate theft.

Here's how it works:

"The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext."


i0n1c notes that Dr. Web is the first one to identify Unflod.dylib as malicious.

Deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack; however, since the origin of the malware cannot be located, we don't know if any other malware was bundled with it. Thus, to be sure any threat is completely removed, you will need to do a full restore. Unfortunately, this means losing your jailbreak.

You can use iFile to easily check for the existence of Unflod.dylib; however, a it's like that a tweak or an update to Cydia will be released to address the malware shortly. Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More


Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords

Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords
Newly Discovered Malware Infects Jailbroken iPhones to Steal Apple IDs and Passwords
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (6)
You must login or register to add a comment...
Treated like a Criminal
Treated like a Criminal - April 19, 2014 at 1:33pm
This is coming from Sumsung. The writting is on the wall.
mr BLa6k
mr BLa6k - April 19, 2014 at 11:57am
Is the repo Very Fast checked my devices and they are clean and always Rooted ( jail broken ). If the repo is kuaiyong you do not need a jailbreak but it helps if you know how to read. As far as my apple id I do not have a credit card or banking info on it, it is not a good idea to have you info with any retailer. If you are intelligent enough to Rooting your apple device and you know where you got the virus and how to remove the file then you should be fine. I would not update to 7.1, Cydia will no doubt release a patch soon. Blocking the ip is also a good idea or the port till the whole issued is explored but ifile is great and easy to use and should be enough for now.
Mike
Mike - April 19, 2014 at 1:15am
Wouldn't it be easier to just edit your host file to block your phone from communicating with those IPs? That's what I would do!
Archie
Archie - April 18, 2014 at 10:44pm
So this malware only infects iOS devices that have installed cracked versions of apps from a Chinese host. Well, stealing apps has its drawbacks. If you steal you deserve the malware problem.
Marius
Marius - April 18, 2014 at 7:17pm
Sooo, what are you doing here then?
m_thoroughbred
m_thoroughbred - April 18, 2014 at 8:37pm
This is for people with jailbroken iPhones not stock iPhones so I don't know what you're trying to say. Stock android can get malware without being rooted
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS