Jailbroken iOS Devices Susceptible to ‘Unflod Baby Panda’ Malware

Discovered by reddit users and detailed by hacker Stefan Esser a.k.a @i0n1c‘Unflod Baby Panda’ is a newly discovered malware that can infect jailbroken iOS devices and steal users’ Apple ID and password. The malware, which appears to be of Chinese origin, hooks into all running processes of jailbroken iPhones, iPads and iPods and listens to outgoing SSL connections.

Malware

The malware attempts to steal the infected iOS device’s Apple ID and corresponding password, and then send the information in plain text to servers with IP addresses in control of US hosting companies for apparently Chinese customers. Users of reddit have made this malware available to the public, which allowed SektionEins to analyse the threat. Until now, only the malware itself has been found and it is still unknown how it ends up on jailbroken devices.

“The malware comes as a Mach-O ARMv7 dynamic library called Unflod.dylib that is installed as MobileSubstrate extension inside the path:

/Library/MobileSubstrate/DynamicLibraries/Unflod.dylib

It has been suggested that the choice of name might have something todo with the existence of a real tweak called Unfold. The choice of name might therefore just be an attempt to hide in plain sight. While analysing the binary, SektionEins discovered that the binary itself contains strings that hint at the threat being compiled with XCode on a Mac OS X system. Infact the following string was found inside the Mach-O header as the name of the library during compilation.

/Users/apple/Library/Developer/Xcode/DerivedData/framework-guknhpkmreoccjbplfeebcklivmx/Build/Products/Debug-iphoneos/framework.app/framework

This string reveals that the project name during compilation was “framework.app” and that it was compiled by a user called “apple”. Further information inside the Mach-O header seems to indicate that the binary was compiled against the iOS 6.1 SDK.”

For now, deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack. However, since the origin of the malware is still unknown, we can’t be certain if any other malware was bundled with it or not.

“Technology runs through my veins...” | Follow me: @DrUsmanQ usman@iPhoneinCanada.ca

  • whatever

    Or, you know, don’t jailbreak your phone.

  • True

  • Chrome262

    why is china so hot for out info?

  • To create a new Chrome262

  • Chrome262

    LOL well I didn’t JB this time around, ios7 give me all I asked for in a JB. good thing.

  • Well, in that case you’re safe.

    Wait, then there’s Heartbleed…

  • Ari

    I remember being told that I was an idiot when I pointed out that Jailbreaks, by their definition leave a device more vulnerable to attack by malware. You are essentially stripping the BSD jail sandboxing mechanism when you “jailbreak” leaving apps free to run amok on your device.

  • Chrome262

    not to worried about that either, according to apple its all good. but then again Google said the the same thing hummm