Jailbroken iPhones are being targeted by an active malware campaign, stealing passwords


unflod-hook-499

A malware campaign has been unearthed by security researcher Stefan Esser after many of the users of jailbroken iPhones and iPads posted on Reddit that their devices crashed repeatedly after installing unofficial tweaks through a third-party app store called ‘Cydia’ which serves the market of jailbroken  Apple devices.

According to Stefan Esser, the purpose of the malware is to get information about Apple ID from jailbroken iPhones and iPads. The malware campaign is being called “Unflod Baby Panda” and it originates from China. Stefan Esser reports the results in a blog post and writes the following:

“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.”

The other name for this library is framework.dylib which is found in other infections. However, it is not clear how the malware ended up in the jailbroken iPhones and iPads. Rumors are that “Chinese piracy repositories are involvedare so far unverified,” reported the blog.

In an e-mail to Ars, Esser reveals that iPhone 5S/iPad Air or iPad mini 2G are safe from the malware as it can only attack 32-bit versions of iOS. “There is no ARM 64-bit version of the code in the copy of the library we got,” he wrote. The solution is to restore the device. After restoring the devices the users must also change their Apple ID passwords as soon as possible.

“That is why we recommend to restore the device,” Esser suggested Ars. “However, that means people will lose their jailbreak until a new one is released, and the majority of jailbreak users will not do that.”

Sophos, antivirus provider, researchers underplay that the threat came from Cydia directly and suggest there no need to panic.

“I will also again take this moment to point out to anyone concerned that the probability of this coming from a default [Cydia] repository is fairly low,” Cydia developer Jay Freeman, aka Saurik, wrote in one reddit comment. “I don’t recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s