Recently, Apple iPhone and iPod users have been the target of a mysterious and active malware that has been stealing their passwords. The threat is dubbed “Unflod Baby Panda” based on the name of the library that is installed on infected devices. It essentially runs in the background of any iOS device while searching for all sorts of Apple credentials. This threat first came to light when certain Apple users complained on Reddit that they were experiencing application crashes while using Google Hangouts and Snapchat, due to the automatic mobile substrate add-on named “Unflod.”
A mobile substrate known as the Cydia Substrate allows users to extend and modify the actions of iOS as prohibited by Apple on non-jailbroken devices. The methods can vary from hooking to intercepting the systems and making them do things that are not allowed.
According to the research done after being discovered, it is evident that someone has been successful in creating a dynamic library for the Cydia Substrate and hooked the necessary iOS SSLWrite Function in order to read necessary data before it is encrypted and sent over through a secure iOS connection, thus enabling the active malware to steal the passwords from Apple users.
In order to further study the threat, security agent Stefan Esser did a static analysis on the given binary code that the users had isolated on Reddit. He figured out that the “unflod” hooks onto the SSLWrite Function of the device it has infected, and then scans it for the strings containing passwords.
Researchers are still confused as to how this malicious “unflod” was downloaded on the jailbroken devices in the first place, but it is assumed that it is being installed from packages from uninstalled repositories.
Unflod can now be easily detected by viewing the SSH/Terminal and searching in the folder /Library/MobileSubstrate/Dynamic Libraries. It is also quite possible that the source is a Chinese connection, because of the library being signed digitally by someone named Wang Xin. Of course, it might be just a hoax or a fake persona that the real source is using. Also, such instances of stolen passwords from Apple devices by active malware are not good news in terms of business revenue.
So right now, it does not really matter whether the developer certificate is valid or not, as the malicious library does not necessarily need a digital signature to affect jailbroken devices. The main concern now is to find a way to stop it from spreading further.
It is possible to eliminate the malware by simply deleting it, but since its source file is not known, it is quite possible that the malware might return in the future. Knowing this, it is to be understood that the deletion is just temporary and the jailbroken devices are still under threat.
The only possible way out is that Apple users should alter their passwords as soon as possible, keeping it as vague and unrelated to the previous one as possible. Since it affects only jailbroken iOS operators, it probably will not affect other users, who are being asked to stay clear of downloading third-party materials and random software from unknown people. Doing so should prevent 50 percent of the attacks by this active malware in order to steal Apple passwords.
By Sunando Basu