Devs, hackers hunt for iOS malware author

Hackers and developers are on a hunt to reveal the creator of a mysterious piece of malware that steals Apple usernames and passwords from jailbroken devices.

The Unflod malware, a name resembling the legitimate and popular Unfold iOS tweak, surfaced sometime in February. It infected users downloading unknown applications from the Cydia jailbreak store.

Users of Cydia can add their own application sources, allowing them to access software from a variety of developers and their pirate spin-offs.

It is the latter sources that have attracted the most suspicion as the host of the unflod malware.

Analysis by users and iPhone hacker Stefan Esser has revealed Unflod captures usernames and passwords for the Apple App Store by listening to outgoing SSL connections and funnels the details off to attackers based in China. 

"From these connections it tries to steal the device's Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers," Esser said in a post.

"The malware basically hooks into SSLWrite of the Security.framework and scans the buffer for certain strings that indicate the presence of the Apple-ID and the password. If those are found the code attempts to connect to the IPs 23.88.10.4 and 23.228.204.55 on port 7878 to send out the stolen data in plaintext."

The malware version analysed affects only 32 bit jailbroken iPhones and iPads, meaning modified iPhone 5s devices and iPad Air units appear safe, along with all stock devices.

Sophos Australia researcher Paul Ducklin said by hooking the SSLWrite function, the malware could view sensitive data before it was encrypted.

"That means the malware gets to peek at confidential data before it is encryption for transmission," Ducklin said.

The Apple user and developer community seems at a loss to explain how the malware appears on devices. Suspicions over possible hosts for iOS tweaks linked to Unflod have not been confirmed.

Much of the deep analysis into the malware suggests Unflod dynamically downloads to devices after installation of a jailbreak tweak, making it difficult to pin blame on a given application or source.

Removing Unflod.dylib appeared to clear the threat but Esser warned it was not enough to safeguard Apple credentials.

He said victims should wipe their jailbroken phones, bringing them back to Apple's stock firmware despite risks of losing the modification, until a jailbreak exploit could be developed for the latest iOS releases.

"Currently the jailbreak community believes that deleting the Unflod.dylib / framework.dylib binary and changing the Apple-id's password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts," Esser said.

In his analysis, the Esser found the malware was unnecessarily signed with an Apple developer certificate registered to Wang Xin, which he noted may be the name of a victim whose certificate was stolen or may be a simple throw-off to investigators.

Apple has been contacted regarding the termination of the Xin account.

Official stock repositories installed on jailbroken phones were not necessarily free of Unflod since determining which wares fetch the malware after installation remains a difficult task, but prominent Cydia developer Jay Freeman (@Saurik) said it was likely to be contained in a third-party unpopular app due to the small number of infections.

"A piece of malware has shown up on a few jailbroken devices - it's almost certainly installed via something on a non-default repository (such as a pirate repository), and it's probably installed via a less-popular package, since it's not very common," Freeman said.

"... nobody has figured out yet exactly where it comes from."

Concerned users can install an application to check for and remove instances of the malware and should keep tabs on their devices after installing further wares from Cydia.