iOS Malware Tries To Pilfer Passwords From Jailbroken Devices

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Chinese hackers may have created iOS malware called Unflod

Malware targeting jailbroken iOS devices has been spotted, with indications Chinese hackers created the password stealer, known as Unflod.

Reddit users posted about infected Apple machines earlier this month, saying the Unflod software was causing certain apps, including Snapchat and Google Hangouts, to crash.

Security researcher Stefan Esser analysed the malware, revealing it tries to steal the device’s Apple ID and password, and then sends the data off to servers based in the US, at hosting companies for Chinese users.

iphone 5C blueiOS malware

It’s unknown how the malware was released into the wild, with some suggesting Chinese app stores were responsible. Unflod was also digitally signed with an iPhone developer certificate.

“It is important to remember that this threat only affects jailbroken iPhones and therefore the signature on the binary is not required for the malware to work at all. The fact that it is still there is an oversight (or misinformation) by the attacker,” Esser said in a blog post.

The actual code for Unflod is not particularly complex and the file is fairly small. “The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password for it,” Esser added. “If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext.”

As for recourse, infected devices may have to be reset. “Currently the jailbreak community believes that deleting the Unflod.dylib/framework.dylib binary and changing the apple-id’s password afterwards is enough to recover from this attack,” the researcher said.

“However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts.

“We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak.”

iPhone malware threats have been a rarity, with only one variant believed to have ever made it onto the official Apple App Store. Security experts have repeatedly warned about the dangers associated with jailbroken phones, which lose many of the protections that come with non-rooted devices.

Love IT security? Try our quiz!