Tuesday, April 22, 2014

Active malware campaign steals Apple passwords from jailbroken iPhones

from arstechnica.com
Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads.

News of the malware dubbed "unflod," based on the name of a library that's installed on infected devices, first surfaced late last week on a pair of reddit threads here and here. In the posts, readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

Since then, security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

In an e-mail to Ars, Esser said the malicious code works only on 32-bit versions of jailbroken iOS devices. "There is no ARM 64-bit version of the code in the copy of the library we got," he wrote. "This means the malware should never be successful on [the] iPhone 5S/iPad Air or iPad mini 2G."

reddit readers said unflod infections can be detected by opening the SSH/Terminal and searching the folder /Library/MobileSubstrate/DynamicLibraries for the presence of the Unflod.dylib file. Compromised devices may possibly be disinfected by deleting the dynamic library, but since no one so far has been able to figure out how the malicious file is installed in the first place, there's no guarantee it won't somehow subsequently reappear.

"That is why we recommend to restore the device," Esser told Ars. "However, that means people will lose their jailbreak until a new one is released, and the majority of jailbreak users will not do that."

Of course, whichever course of disinfection users of infected devices choose, they should also change their Apple ID password as soon as possible.

The unflod campaign, which was also analyzed by researchers from antivirus provider Sophos, underscores the risks associated with installing unknown apps on jailbroken iPhones.

"I will also again take this moment to point out to anyone concerned that the probability of this coming from a default [Cydia] repository is fairly low," Cydia developer Jay Freeman, aka Saurik, wrote in one reddit comment. "I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer."