Jailbroken iOS Devices Susceptible to ‘Unflod Baby Panda’ Malware

Discovered by reddit users and detailed by hacker Stefan Esser a.k.a @i0n1c‘Unflod Baby Panda’ is a newly discovered malware that can infect jailbroken iOS devices and steal users’ Apple ID and password. The malware, which appears to be of Chinese origin, hooks into all running processes of jailbroken iPhones, iPads and iPods and listens to outgoing SSL connections.

Malware

The malware attempts to steal the infected iOS device’s Apple ID and corresponding password, and then send the information in plain text to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to analyse the threat. Until now, only the malware itself has been found and it is still unknown how it ends up on jailbroken devices.

“The malware comes as a Mach-O ARMv7 dynamic library called Unflod.dylib that is installed as MobileSubstrate extension inside the path:

/Library/MobileSubstrate/DynamicLibraries/Unflod.dylib

It has been suggested that the choice of name might have something todo with the existence of a real tweak called Unfold. The choice of name might therefore just be an attempt to hide in plain sight. While analysing the binary, SektionEins discovered that the binary itself contains strings that hint at the threat being compiled with XCode on a Mac OS X system. Infact the following string was found inside the Mach-O header as the name of the library during compilation.

/Users/apple/Library/Developer/Xcode/DerivedData/framework-guknhpkmreoccjbplfeebcklivmx/Build/Products/Debug-iphoneos/framework.app/framework

This string reveals that the project name during compilation was “framework.app” and that it was compiled by a user called “apple”. Further information inside the Mach-O header seems to indicate that the binary was compiled against the iOS 6.1 SDK.”

For now, deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack. However, since the origin of the malware is still unknown, we can’t be certain if any other malware was bundled with it or not.

P.S. - Like our news? Support the site with a coffee/beer. Or shop with our Amazon link. We use affiliate links when possible--thank you for supporting independent media.