Warning: Malware discovered on Jailbroken iOS devices which steals Apple ID and passwords [Updated]

iPhone Malware

Security researcher Stefan Esser a.k.a i0n1c has reported a serious security issue for jailbreakers. A malware called “Unflod Baby Panda” has been discovered on jaibroken iOS devices that is sending Apple ID and password to servers based in China.

The issue was first discovered by jailbreakers on reddit.  Folks at security firm SektionEins who have done a quick analysis of the malware report:

This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

It is not clear how the malware ended up on a jailbroken device, but it is suspected that it may have been installed by Chinese pirate repositories. SektionEins reports that their involvement hasn’t been verified so far, but the malware is signed with an iPhone developer certificate, which is registered to a person called WANG WIN (which could be faked or the person’s identity stolen).

To find out if you’re infected by the malware, navigate to the following folder using iFile:
/Library/MobileSubstrate/DynamicLibraries/ and check if there is a Unflod.dylib library in that location.

Alternatively, Esser is also advising that users could run a grep command to check if they’re infected:

If you find the dynamic library on your device, then you should delete it immediately and change your Apple ID password, and enable two-step verification.

The malware again highlights why jailbreakers should avoid installing repositories from untrusted sources that host pirated software. If you’ve jailbroken your iOS device then I would strongly recommend you to check if you’re infected.

Update:

Please check this reddit thread for more detailed instructions to check for Unflod.dylib malware, and help saurik, the founder of Cydia, find out more details about it to ensure that it does not affect other users.

Like this post? Share it!

  • Spydar007

    I’m alright because:

    1. My device is not infected.
    2. My Apple ID password is 32 characters long.
    3. I have 2-step verification enabled anyway.

    • wolverinemarky

      Just checked my phone via ifile and I’m good. If ur having trouble getting where he tells you to check at follow these steps in ifile at the top left press the < till u can't go back anymore and then do the folder and you will see mobile substrate plain as day. Hope this helps.

      • Spydar007

        Huh? I said I am not affected!

        • wolverinemarky

          Didn’t mean to reply to you personally thought I was replying to the story itself to help other people out who didn’t know how to check.

      • TBV

        Thanks for the info. I was having trouble finding the Mobile substrate folder.

        • wolverinemarky

          yw glad i could help

  • Carrot

    I cant even find a MobileSubstrate folder via SSH. And wtf is a grep command? It would be nice to provide more informations for jb noobs in a serious thing like that

    • Gautam

      You should use iFile in that case.

    • mE.!

      when you connect you start in /private/var/root. you need to go up 3 levels to the root of the filesystem, then browse to /library …etc.

  • David Randle

    if you cant find mobile substrate try doing a respring it worked for me

    • Dimyl452

      Didn’t work for me. Still can’t find mobile substrate in system folder.

      • mE.!

        mobilesubstrate isn’t in the system folder. go all the way up to the root of the device and then look for Library.

  • Elias

    Hey i saw somthing called ( Umino.dylib ) is that you mean ??????

    • Gautam

      No, not that one. The name of the library is Unflod.dylib.

      • Elias

        Ok thanks bro

  • Wyatt

    would these Chinese repositories be the ones that were installed with evasion?

    • Gautam

      Doesn’t seem to be the case, as evad3rs had disabled it remotely and removed it completely in subsequent updates.

      • h4rr33

        So the infected iPhones could be the early adopters that had the chinese software installed before it was removed. F*cking evad3rs.

        • Gautam

          It doesn’t seem to be the case.

  • Tedt

    Thanks for tip off , me good

  • njs432

    I got an email on yahoo that someone from China tried to log into my email account. o.O

  • Bluedream

    Already checked..my iphone is clean..no such file ..

  • Joe

    So many phones have it while not a single person had it on their phone who commented. Sounds like pr article to try to scare people from jailbreaking their phones.

    • Gautam

      Nice to know we have a conspiracy theorist amongst us.

      But on a serious note, suggest visiting the reddit threads, some users do seem to be affected.

  • b7ish

    HI All!
    I do not have ifile, How can i find that Unfold.dylib if my device has?
    Anyone please advise

    • Gautam

      You can use iFile to find out. Go to the root directory and then look for the file in /Library/MobileSubstrate/DynamicLibraries/.

  • bcsc

    But Apple products cant get malware and viruses how is this possible?

    • Blue

      That’s a lie. Apple has it’s own share of viruses and trojans, heck, it’s more prone to infections than Windows or Linux. The only reason that there isn’t a plethora of viruses, is due to the Closed-Source.
      So to answer it, yes, it’s possible.

      • Gautam

        He was just being sarcastic :)

        • bcsc

          That moment when you realize that the Admin knows I’m a d!ck. ;)

      • bcsc

        Sarcasm is apparently very hard to convey in writing.

      • DJ BrU

        Also more people use Windows worldwide thus more Windows developers.

  • Anh Spy

    Nice ! Thank !

  • Arthur

    How do you enable 2-step verification?