Security researcher Stefan Esser (via ArsTechnica) has discovered that an issue reported on Reddit as causing crashes on jailbroken iPhones and iPads is actually a piece of malware designed to capture Apple IDs and passwords from infected devices.

This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.

Early indications are that the source of the malware is likely to have been from a tweak downloaded from somewhere outside of Cydia. Esser has identified that the code only runs on 32-bit devices, meaning that the iPhone 5s, iPad Air and iPad mini with Retina display are safe, while other devices are vulnerable.

The blog post says that the malware is easy to check for, but may not be easy to remove. Using SSH/Terminal, check the path /Library/MobileSubstrate/DynamicLibraries/ for the presence of either Unflod.dylib or framework.dylib.

Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id’s password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.

We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.

Cydia developer Jay Freeman, aka Saurik, pointed out on Reddit that adding random download URLs to Cydia is as risky as opening attachments received in spam emails.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

9 Responses to “Chinese iOS malware stealing Apple IDs and passwords from jailbroken devices”

  1. Wassim Jabi says:

    This is one of the reasons I never feel compelled to jailbreak my iOS devices. The “walled garden” may be limiting, but it also protects you. If I wanted all this headache that comes with flexibility, I would go for Android rather than jailbreak an iOS device.


    • Tim Jr. says:

      Exactly my view…


      • This doesn’t happen simply from jailbreaking your device just as having an email inbox on your computer don’t infect your computer. My jailbroken device has more security with added firewall and privacy protections. Remember the SSL problem, the jailbreak community had it patched the same day. You don’t have to jailbreak your iDevice but understand that it adds security and much needed functionality. In order to get an option to download something like this malware one would have to install a 3rd party repository then select an option saying that even though it is NOT recommended you still do want to add the repository. Chances are it is on a server full of cracked apps so nothing an honest user has to even think about. The jailbreak community is as safe as the Apple App Store and has been for the last 6 years thanks to Saurik and others like him.


  2. :”I have no sympathy for anyone who jailbreaks their device just to get a few more features or apps. If you jailbroke your phone and got nailed by the malware, then you got what you asked for. There are reasons Apple locks down the phone, and this is one of them. If you like getting into the guts of the phone to make these kind of changes, then you should switch to Android, it’s made to do that.


    • You obviously have absolutely no idea what you are talking about! The mere process of jailbreaking your phone wouldn’t cause you to be infected by this. You would have to manually add an unsafe repository, agree to the warning that it is unsafe and then download a dodgy tweak. Please do a bit of research next time before letting your uninformed fingers loose on the keyboard


  3. All I can say is that I pray that anyone who changed their theme after jail breaking gets this. Simply because I’ve seen the themes people use and they are so stupid and have such poor taste that they deserve it.