A new malware is discovered dubbed 'Unflod Baby Panda' infects jailbroken iDevices in an attempt to steal your Apple ID and password.
According to Stefan Esser, a hacker known as i0n1c " On 17th April 2014 a malware campaign targetting users of jailbroken iPhones has been discovered and discussed by reddit users. This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.." which was discovered by Reddit users.
The malware is located at /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib on your iDevice. The threat is digitally signed with an iPhone developer certificate registered to a person called WANG XIN. It's unclear if this is a real person, a fake persona, or a victim of certificate theft.
It works like this.The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext.
Deleting the Unfold.dylib and changing your Apple ID password appears to be enough to recover from the attack, however, since the origin of the malware cannot be located, i don't know if any other malware was bundled with it. Thus, to be sure any threat is completely removed, you will need to do a full restore. Unfortunately, this means losing your jailbreak, or hopefully a tweak or an update to Cydia will be released to address the malware shortly.
sektioneins
