AAPL Stock: 118.88 ( + 1.13 )

Printed from

Malware steals Apple IDs from jailbroken iPhones, iPads

updated 06:11 pm EDT, Tue April 22, 2014

Works on 32-bit devices only for now, takes advantage of same flaws jailbreak uses

As has been predicted for some time, a new malware threat exploits the same flaws in iOS that jailbreaking tools use in order to install itself on older jailbroken iPhones and iPads. The malware, likely to be found in devices where the user has installed third-party customizations, scans for the Apple ID and password of the user, then transmits it to remote servers. Current, 64-bit iOS devices like the iPhone 5s, iPad Air or second-generation iPad mini -- and un-jailbroken iOS devices of all sorts -- appear to be immune so far.

The malware, now dubbed "unflod" after the library that is installed on infected devices (and signed with an Apple Developer signature, though this may have been stolen), can be seen on 32-bit jailbroken iOS devices by opening the SSH/Terminal that is usually installed during the jailbreaking process and searching the path "/Library/MobileSubstrate/DynamicLibraries" for a file called Unflod.dylib. It is unclear if simply deleting that file will permanently remove the malware, since it is possibly hidden inside one of the installed "tweaks" and may be re-downloaded or reinstalled when the suspect tweak is used again.

Security researcher Stefan Esser, who investigated the issue after reports appeared on Reddit about repeated crashes, says that the file intercepts the SSLWrite function inside an infected device's security framework, reports Ars Technica, and uses that to scan for strings associated with Apple ID logins. Sophos Labs, which has also analyzed the threat, has received no reports of compromised Apple IDs "in the wild" due to the attack thus far, but victims may not be aware that their ID has been compromised or do not think to report any security issues to the company.

The Mobile Substrate code, which is used by unofficial software to modify and extend iOS into areas specifically set as off-limits by Apple -- for example, an library that circumvents the carrier's own CallerID so that users have some way of seeing what number is calling without paying the carrier to do so -- can just as easily be used, in jailbroken devices, to install malicious software. While the jailbroken community as a whole has been generally lucky on this front so far, an exploit -- any exploit -- can be used for nefarious or benign injections of code, which is why Apple strongly recommends against jailbreaking phones even though it is legal to do so.

Applications that have hidden functionality, usually designed to get around Apple App Store rules, are well known among jailbreakers. A few have been successful in escaping Apple's scrutiny and successfully appearing on the App Store, but almost none of them had any malicious intent. Exploiting software flaws in mobile platforms is worth a lot of money now, notes security researcher Charlie Miller, vastly increasing the temptation to use jailbreak exploits for illicit purposes.

The relative unpopularity of jailbreaking in the iOS community is one of the reasons why the platform enjoys such dramatically lower incidences of malware -- statistically, zero -- compared to Android, which allows a much wider community of unpoliced and unofficial app stores, and unsurprisingly now has 99 percent of all mobile malware directed at it.

Resetting an iOS device infected with "unflod" to normal and losing the jailbreak more permanently fixes the issue, reports Esser, since un-jailbroken devices cannot be compromised by the malware. Users do take the risk, however, that future system upgrades will make it even more difficult for their devices to be jailbroken, meaning they can enjoy the security but lose the unofficial tweaks and apps they enjoyed.

Jay Freeman, known as "Saurik" and creator of the primary unofficial app marketplace, Cydia, told Reddit readers that the "probability of this coming from a default [Cydia] repository is fairly low," but added that he doesn't recommend "people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer."

by MacNN Staff



  1. msuper69

    Professional Poster

    Joined: 01-16-00

    I have no sympathy for jailbreakers. They remove the most important security feature of iOS devices so who's surprised that the malware follows shortly thereafter.
    At least MacNN put 'jailbreak' in the headline, unlike most of other web sites who leave that part off to give the impression that iOS is susceptible to malware.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented